Login Sign Up

CVE-2022-0456

8.8 HIGH

📋 TL;DR

A use-after-free vulnerability in Chrome's Web Search component allows remote attackers to potentially exploit heap corruption when profiles are destroyed. This could lead to arbitrary code execution or browser crashes. All users of affected Chrome versions are vulnerable.

💻 Affected Systems

Products:
  • Google Chrome
Versions: All versions prior to 98.0.4758.80
Operating Systems: Windows, macOS, Linux, ChromeOS
Default Config Vulnerable: ⚠️ Yes
Notes: All Chrome installations with default settings are vulnerable. Chrome extensions or enterprise policies do not mitigate this vulnerability.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the Chrome process, potentially leading to full system compromise.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (visiting a malicious website). No public exploit code is available, but the vulnerability is actively being patched.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 98.0.4758.80

Vendor Advisory: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to prevent exploitation via malicious websites.

chrome://settings/content/javascript

🧯 If You Can't Patch

  • Use Chrome's built-in site isolation feature (enabled by default) to limit impact.
  • Deploy network filtering to block known malicious domains and restrict web browsing.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Help > About Google Chrome. If version is below 98.0.4758.80, it is vulnerable.

Check Version:

google-chrome --version

Verify Fix Applied:

Confirm Chrome version is 98.0.4758.80 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports with memory corruption signatures
  • Unexpected Chrome process termination

Network Indicators:

  • Unusual outbound connections from Chrome to unknown domains

SIEM Query:

source="chrome_crash_reports" AND (event_type="crash" OR memory_corruption="true")

📊 Metadata

CVE ID: CVE-2022-0456
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: April 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0456, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)