CVE-2022-0609
Published: 05 April 2022
Summary
CVE-2022-0609 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-0609 is a use-after-free vulnerability in the Animation component of Google Chrome versions prior to 98.0.4758.102. The flaw, tracked under CWE-416, can result in heap corruption when processing a specially crafted HTML page.
A remote attacker can exploit the issue without authentication by convincing a target to visit a malicious web page, potentially leading to arbitrary code execution with impacts on confidentiality, integrity, and availability as reflected in its CVSS 3.1 score of 8.8.
Chrome release notes for the stable channel update on 14 February 2022 and the associated Chromium bug report direct users to upgrade to version 98.0.4758.102 or later to address the vulnerability.
The CVE appears in CISA's known exploited vulnerabilities catalog, confirming observed in-the-wild exploitation, while its EPSS score has remained near 0.49.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1213
Vulnerability details
Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 15 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the Chrome 98.0.4758.102 update that eliminates the use-after-free flaw before exploitation can occur.
Enforces memory-protection mechanisms that block use-after-free and resulting heap corruption in browser animation processing.
Restricts or sanitizes mobile code (HTML/JS) delivered by untrusted pages, limiting the attack vector that triggers the Animation flaw.