Login Sign Up

CVE-2022-1493

8.8 HIGH

📋 TL;DR

This is a use-after-free vulnerability in Chrome's Dev Tools that could allow heap corruption. Attackers could potentially execute arbitrary code or cause crashes by tricking users into interacting with malicious Dev Tools content. Users of Google Chrome versions prior to 101.0.4951.41 are affected.

💻 Affected Systems

Products:
  • Google Chrome
Versions: All versions prior to 101.0.4951.41
Operating Systems: Windows, macOS, Linux, ChromeOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Dev Tools to be open and user interaction with malicious content

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment

🟠

Likely Case

Browser crash or denial of service, with potential for limited code execution in browser context

🟢

If Mitigated

No impact if Chrome is updated to patched version or Dev Tools are disabled

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires specific user interaction with Dev Tools and is not trivial

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 101.0.4951.41

Vendor Advisory: https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html

Restart Required: Yes

Instructions:

1. Open Chrome 2. Click menu (three dots) → Help → About Google Chrome 3. Chrome will automatically check for and install updates 4. Click 'Relaunch' to restart Chrome

🔧 Temporary Workarounds

Disable Dev Tools

all

Prevent exploitation by disabling Chrome Dev Tools access

chrome://flags/#enable-devtools-experiments → Disabled
chrome://flags/#enable-devtools-experiments → Disabled

🧯 If You Can't Patch

  • Disable Chrome Dev Tools via group policy or registry settings
  • Use alternative browsers until Chrome can be updated

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in menu → Help → About Google Chrome

Check Version:

google-chrome --version (Linux) or check About page

Verify Fix Applied:

Verify Chrome version is 101.0.4951.41 or later

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports with memory corruption signatures
  • Unexpected Dev Tools usage patterns

Network Indicators:

  • Unusual traffic from Chrome processes after Dev Tools interaction

SIEM Query:

source="chrome_crash_reports" AND (message="heap corruption" OR message="use-after-free")

📊 Metadata

CVE ID: CVE-2022-1493
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: July 26, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1493, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)