CVE-2022-0114
📋 TL;DR
This vulnerability allows a remote attacker to perform out-of-bounds memory reads in Google Chrome's Blink Serial API. Attackers can exploit this via a crafted HTML page and virtual serial port driver to potentially leak sensitive memory contents. All users running affected Chrome versions are vulnerable.
💻 Affected Systems
- Google Chrome
- Chromium-based browsers
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Information disclosure leading to sensitive data leakage, potential memory corruption that could enable arbitrary code execution, or system compromise.
Likely Case
Information disclosure through memory reads, potentially exposing sensitive data like passwords, session tokens, or other application data.
If Mitigated
Limited impact with proper browser sandboxing and memory protection mechanisms in place, though information disclosure may still occur.
🎯 Exploit Status
Exploitation requires both crafted HTML page and virtual serial port driver interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 97.0.4692.71
Vendor Advisory: https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
Restart Required: Yes
Instructions:
1. Open Chrome browser. 2. Click three-dot menu → Help → About Google Chrome. 3. Browser will automatically check for and apply updates. 4. Restart Chrome when prompted.
🔧 Temporary Workarounds
Disable Serial API
allDisable the Serial API via Chrome flags to prevent exploitation.
chrome://flags/#enable-experimental-web-platform-features → Disabled
Restrict Serial Port Access
allBlock websites from accessing serial ports via Chrome permissions.
chrome://settings/content/serial → Block all sites
🧯 If You Can't Patch
- Use alternative browsers without Serial API support
- Implement network filtering to block malicious HTML pages
🔍 How to Verify
Check if Vulnerable:
Check Chrome version via chrome://version and verify it's below 97.0.4692.71Check Version:
chrome://versionVerify Fix Applied:
Confirm Chrome version is 97.0.4692.71 or higher via chrome://version📡 Detection & Monitoring
Log Indicators:
- Chrome crash reports with memory access violations
- Serial API access attempts from unusual sources
Network Indicators:
- HTTP requests to pages attempting serial port access
- Unusual serial port communication patterns
SIEM Query:
source="chrome" AND (event_type="crash" OR api_call="serial")🔗 References
- https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
- https://crbug.com/1267627
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE/
- https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
- https://crbug.com/1267627
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE/
