CVE-2022-0797 – This vulnerability allows remote attackers to p... (How to Fix)

Q: What is the severity of CVE-2022-0797?

CVE-2022-0797 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to perform out-of-bounds memory writes in Google Chrome's Mojo IPC framework via a crafted HTML page. Attackers could potentially execute arbitrary code or cause browser crashes. All users running vulnerable Chrome versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to perform out-of-bounds memory writes in Google Chrome's Mojo IPC framework via a crafted HTML page. Attackers could potentially execute arbitrary code or cause browser crashes. All users running vulnerable Chrome versions are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: Versions prior to 99.0.4844.51

Operating Systems: Windows, macOS, Linux, Android, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Extensions or security settings don't mitigate this vulnerability.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Attackers can exploit via malicious websites without user interaction beyond visiting the page.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires memory manipulation skills but no authentication. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 99.0.4844.51 and later

Vendor Advisory: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome menu > Help > About Google Chrome. 2. Chrome will automatically check for updates. 3. If update is available, click 'Relaunch' to apply. 4. For enterprise deployments, use Chrome Enterprise policies to push updates.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious scripts but breaks most web functionality

Use Chrome sandboxing

all

Ensure Chrome sandbox is enabled to limit impact of successful exploitation

chrome --no-sandbox (DO NOT USE - this disables sandbox)

🧯 If You Can't Patch

Use alternative browser until Chrome can be updated
Implement network filtering to block known malicious sites and restrict web browsing

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in menu > Help > About Google Chrome. If version is below 99.0.4844.51, system is vulnerable.

Check Version:

On Windows: chrome://version/ | On Linux: google-chrome --version | On macOS: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version

Verify Fix Applied:

Confirm Chrome version is 99.0.4844.51 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Unexpected process termination
Memory access violation errors in system logs

Network Indicators:

Unusual outbound connections from Chrome process
Requests to known malicious domains

SIEM Query:

process_name:"chrome.exe" AND (event_id:1000 OR event_id:1001) OR process_name:"chrome" AND signal:SIGSEGV

📊 Metadata

CVE ID: CVE-2022-0797

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 5, 2022

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1281908 Issue Tracking,Permissions Required,Vendor Advisory
https://security.gentoo.org/glsa/202208-25 Third Party Advisory
https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1281908 Issue Tracking,Permissions Required,Vendor Advisory
https://security.gentoo.org/glsa/202208-25 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0797, you might also want to check these: