CVE-2022-0975 – This vulnerability is a use-after-free memory c... (How to Fix)

Q: What is the severity of CVE-2022-0975?

CVE-2022-0975 has a CVSS score of 8.8 (HIGH). This vulnerability is a use-after-free memory corruption flaw in ANGLE (Almost Native Graphics Layer Engine) component of Google Chrome. It allows remote attackers to potentially execute arbitrary code or cause heap corruption by tricking users into visiting a malicious HTML page. All Chrome users prior to version 99.0.4844.74 are affected.

📋 TL;DR

This vulnerability is a use-after-free memory corruption flaw in ANGLE (Almost Native Graphics Layer Engine) component of Google Chrome. It allows remote attackers to potentially execute arbitrary code or cause heap corruption by tricking users into visiting a malicious HTML page. All Chrome users prior to version 99.0.4844.74 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 99.0.4844.74

Operating Systems: Windows, macOS, Linux, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: ANGLE is enabled by default on Windows and some other platforms for WebGL/OpenGL compatibility.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within sandboxed Chrome process.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites without user interaction beyond visiting the page.

🏢 Internal Only: MEDIUM - Requires user to visit malicious internal page, but could be used in targeted attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Use-after-free vulnerabilities in browser engines are commonly exploited, but Chrome's sandbox makes full exploitation more difficult.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 99.0.4844.74 and later

Vendor Advisory: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html

Restart Required: Yes

Instructions:

1. Open Chrome menu > Help > About Google Chrome. 2. Chrome will automatically check for and install updates. 3. Click 'Relaunch' when prompted to complete the update.

🔧 Temporary Workarounds

Disable WebGL/ANGLE

all

Disable hardware acceleration and WebGL features that use ANGLE component

chrome://flags/#disable-accelerated-2d-canvas
chrome://flags/#ignore-gpu-blacklist
Set both to Disabled

🧯 If You Can't Patch

Disable JavaScript in Chrome settings (breaks most websites)
Use alternative browser temporarily

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in menu > Help > About Google Chrome

Check Version:

google-chrome --version (Linux) or chrome://version in address bar

Verify Fix Applied:

Verify version is 99.0.4844.74 or higher

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with ANGLE-related stack traces
Unexpected Chrome process termination

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual outbound connections after visiting suspicious sites

SIEM Query:

source="chrome_crash_reports" AND (message="*ANGLE*" OR message="*use-after-free*")

📊 Metadata

CVE ID: CVE-2022-0975

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: July 21, 2022

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html Release Notes,Vendor Advisory
https://crbug.com/1295411 Exploit,Issue Tracking,Patch,Vendor Advisory
https://security.gentoo.org/glsa/202208-25 Third Party Advisory
https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html Release Notes,Vendor Advisory
https://crbug.com/1295411 Exploit,Issue Tracking,Patch,Vendor Advisory
https://security.gentoo.org/glsa/202208-25 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0975, you might also want to check these: