Login Sign Up

CVE-2022-0808

8.8 HIGH

📋 TL;DR

This is a use-after-free vulnerability in Chrome OS Shell that allows remote attackers to potentially exploit heap corruption through user interactions. It affects Google Chrome on Chrome OS before version 99.0.4844.51. Attackers need to convince users to perform specific interactions to trigger the vulnerability.

💻 Affected Systems

Products:
  • Google Chrome
  • Chrome OS
Versions: All versions prior to 99.0.4844.51
Operating Systems: Chrome OS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Chrome OS devices running vulnerable Chrome versions; requires user interaction to exploit.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through heap corruption leading to arbitrary code execution, potentially allowing attackers to gain complete control of the Chrome OS device.

🟠

Likely Case

Application crash or denial of service, with potential for limited code execution in the Chrome OS Shell context.

🟢

If Mitigated

No impact if patched or if users avoid suspicious interactions; standard security controls like sandboxing may limit damage.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction and specific conditions; no public exploit code available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 99.0.4844.51 and later

Vendor Advisory: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome browser on Chrome OS. 2. Click the three-dot menu > Help > About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable automatic Chrome updates

all

Prevent Chrome from automatically updating to ensure controlled patching.

chrome://settings/help
Toggle 'Automatically update Chrome for all users' to off

🧯 If You Can't Patch

  • Restrict user access to untrusted websites and applications.
  • Implement application whitelisting to prevent unauthorized Chrome usage.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version by navigating to chrome://settings/help and verifying if version is below 99.0.4844.51.

Check Version:

chrome://settings/help

Verify Fix Applied:

Confirm Chrome version is 99.0.4844.51 or higher in chrome://settings/help.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports
  • Unexpected process terminations in Chrome OS logs

Network Indicators:

  • Unusual outbound connections from Chrome processes

SIEM Query:

source="chrome_crash_reports" AND version<"99.0.4844.51"

📊 Metadata

CVE ID: CVE-2022-0808
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: April 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0808, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)