CVE-2022-1635 – This is a use-after-free vulnerability in Googl... (How to Fix)

Q: What is the severity of CVE-2022-1635?

CVE-2022-1635 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Google Chrome's permission prompt system that could allow remote attackers to exploit heap corruption through specific UI interactions. Attackers could potentially execute arbitrary code or cause browser crashes by tricking users into interacting with malicious permission prompts. All Chrome users on versions prior to 101.0.4951.64 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's permission prompt system that could allow remote attackers to exploit heap corruption through specific UI interactions. Attackers could potentially execute arbitrary code or cause browser crashes by tricking users into interacting with malicious permission prompts. All Chrome users on versions prior to 101.0.4951.64 are affected.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 101.0.4951.64

Operating Systems: Windows, macOS, Linux, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All Chrome installations are vulnerable by default. Chromium-based browsers may also be affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation on the victim's machine.

🟠

Likely Case

Browser crash or denial of service, with potential for limited code execution in the browser context.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if users avoid suspicious permission prompts.

🌐 Internet-Facing: HIGH - Attackers can host malicious websites that trigger the vulnerability when visited.

🏢 Internal Only: MEDIUM - Risk exists if internal users visit malicious sites or applications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction with permission prompts. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 101.0.4951.64

Vendor Advisory: https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_10.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable automatic permission prompts

all

Configure Chrome to ask before allowing permission requests

chrome://settings/content

Use site isolation

all

Enable site isolation to limit impact of potential exploitation

chrome://flags/#enable-site-per-process

🧯 If You Can't Patch

Use alternative browser until Chrome can be updated
Implement network filtering to block known malicious sites

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in About Google Chrome page. If version is below 101.0.4951.64, system is vulnerable.

Check Version:

chrome://version/

Verify Fix Applied:

Confirm Chrome version is 101.0.4951.64 or higher in About Google Chrome page.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption errors
Unexpected permission prompt activity

Network Indicators:

Connections to suspicious domains followed by Chrome crashes

SIEM Query:

source="chrome" AND (event="crash" OR event="permission_prompt") AND version<"101.0.4951.64"

📊 Metadata

CVE ID: CVE-2022-1635

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: July 26, 2022

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_10.html Release Notes,Vendor Advisory
https://crbug.com/1319797 Permissions Required,Vendor Advisory
https://security.gentoo.org/glsa/202208-25 Third Party Advisory
https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_10.html Release Notes,Vendor Advisory
https://crbug.com/1319797 Permissions Required,Vendor Advisory
https://security.gentoo.org/glsa/202208-25 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1635, you might also want to check these: