CVE-2022-0793 – This is a use-after-free vulnerability in Googl... (How to Fix)

Q: What is the severity of CVE-2022-0793?

CVE-2022-0793 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Google Chrome's Cast component that could allow heap corruption. Attackers who convince users to install malicious extensions and perform specific interactions could potentially exploit this to execute arbitrary code. All Chrome users prior to version 99.0.4844.51 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's Cast component that could allow heap corruption. Attackers who convince users to install malicious extensions and perform specific interactions could potentially exploit this to execute arbitrary code. All Chrome users prior to version 99.0.4844.51 are affected.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 99.0.4844.51

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user to install a malicious Chrome extension and perform specific user interactions.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash or limited memory corruption due to the requirement for user interaction and malicious extension installation.

🟢

If Mitigated

No impact if Chrome is updated or if users don't install untrusted extensions.

🌐 Internet-Facing: MEDIUM - Requires user to install malicious extension and perform specific actions, but could be delivered via phishing.

🏢 Internal Only: LOW - Same requirements apply internally; less likely in controlled environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to install malicious extension plus specific user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 99.0.4844.51 and later

Vendor Advisory: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable Chrome Extensions

all

Temporarily disable all Chrome extensions to prevent malicious extension installation.

chrome://extensions/ → Toggle off all extensions

Restrict Extension Installation

all

Configure Chrome policies to prevent users from installing extensions.

Windows: Set ExtensionInstallBlocklist policy to *
macOS/Linux: Configure ExtensionInstallBlacklist

🧯 If You Can't Patch

Implement application whitelisting to block Chrome execution
Use network filtering to block Chrome update domains to prevent downgrade attacks

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 99.0.4844.51, system is vulnerable.

Check Version:

chrome://version/ or 'google-chrome --version' (Linux)

Verify Fix Applied:

Confirm Chrome version is 99.0.4844.51 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption signatures
Unexpected extension installation events

Network Indicators:

Connections to known malicious extension repositories
Unusual outbound traffic from Chrome processes

SIEM Query:

source="chrome" AND (event="crash" OR event="extension_install")

📊 Metadata

CVE ID: CVE-2022-0793

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: April 5, 2022

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1291728 Exploit,Issue Tracking,Vendor Advisory
https://security.gentoo.org/glsa/202208-25 Third Party Advisory
https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1291728 Exploit,Issue Tracking,Vendor Advisory
https://security.gentoo.org/glsa/202208-25 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0793, you might also want to check these: