{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2022-085.pdf" }, "title": "Type Confusion Vulnerability in Chrome Browser", "serial_number": "2022-085", "publish_date": "05-12-2022 13:10:00", "description": "On December 2, 2022, Google released a new version of its Chrome browser fixing a high-severity flaw, identified by \"CVE-2022-4262\" that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google is aware of reports that an exploit for CVE-2022-4262 exists in the wild. It is highly recommended to apply the update.", "url_title": "2022-085", "content_markdown": "---\ntitle: 'Type Confusion Vulnerability in\u00a0Chrome\u00a0Browser'\nversion: '1.0'\nnumber: '2022-085'\noriginal_date: 'December 2, 2022'\ndate: 'December 5, 2022'\n---\n\n_History:_\n\n* _5/12/2022 --- v1.0 -- Initial publication_\n \n# Summary\n\nOn December 2, 2022, Google released a new version of its Chrome browser fixing a high-severity flaw, identified by `CVE-2022-4262` [1] that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. \n\nGoogle is aware of reports that an exploit for CVE-2022-4262 exists in the wild. It is highly recommended to apply the update.\n\n# Technical Details\n\nThe `CVE-2022-4262` is a type confusion in the V8 JavaScript engine. Type confusion vulnerabilities arise when a program allocates or initialises a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type [2], potentially allowing an attacker to perform out-of-bound memory access. \n\nGoogle keeps the access to bug details and links restricted until a majority of users are updated with a fix. \n\n# Affected Products\n\n* Google Chrome for Mac, Windows and Linux before version `108.0.5359.94`.\n\n# Recommendations\n\nCERT-EU recommends updating to the latest version.\n\n# References\n\n[1] \n\n[2] \n", "content_html": "

History:

Summary

On December 2, 2022, Google released a new version of its Chrome browser fixing a high-severity flaw, identified by CVE-2022-4262 [1] that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Google is aware of reports that an exploit for CVE-2022-4262 exists in the wild. It is highly recommended to apply the update.

Technical Details

The CVE-2022-4262 is a type confusion in the V8 JavaScript engine. Type confusion vulnerabilities arise when a program allocates or initialises a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type [2], potentially allowing an attacker to perform out-of-bound memory access.

Google keeps the access to bug details and links restricted until a majority of users are updated with a fix.

Affected Products

Recommendations

CERT-EU recommends updating to the latest version.

References

[1] https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4262

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }