Cyber Resilience

CVE-2022-0609

HighCISA KEVActive ExploitationEUVD Exploited

Published: 05 April 2022

Published
05 April 2022
Modified
24 October 2025
KEV Added
15 February 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4900 97.8th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0609 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-0609 is a use-after-free vulnerability in the Animation component of Google Chrome versions prior to 98.0.4758.102. The flaw, tracked under CWE-416, can result in heap corruption when processing a specially crafted HTML page.

A remote attacker can exploit the issue without authentication by convincing a target to visit a malicious web page, potentially leading to arbitrary code execution with impacts on confidentiality, integrity, and availability as reflected in its CVSS 3.1 score of 8.8.

Chrome release notes for the stable channel update on 14 February 2022 and the associated Chromium bug report direct users to upgrade to version 98.0.4758.102 or later to address the vulnerability.

The CVE appears in CISA's known exploited vulnerabilities catalog, confirming observed in-the-wild exploitation, while its EPSS score has remained near 0.49.

EU & UK References

Vulnerability details

Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
15 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 98.0.4758.102

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Chrome 98.0.4758.102 update that eliminates the use-after-free flaw before exploitation can occur.

prevent

Enforces memory-protection mechanisms that block use-after-free and resulting heap corruption in browser animation processing.

SC-18 Mobile Code partial match
prevent

Restricts or sanitizes mobile code (HTML/JS) delivered by untrusted pages, limiting the attack vector that triggers the Animation flaw.

References