Cyber Resilience

CVE-2022-1096

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 July 2022

Published
23 July 2022
Modified
24 October 2025
KEV Added
28 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3766 97.3th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1096 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2022-1096 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 99.0.4844.84. The flaw, tracked under CWE-843, can result in heap corruption when processing specially crafted input.

A remote attacker can exploit the issue by convincing a target to visit a malicious HTML page, achieving high impact on confidentiality, integrity, and availability without requiring authentication or user privileges beyond normal browser interaction.

Chrome stable channel updates released on March 25, 2022, address the vulnerability by advancing the browser to version 99.0.4844.84 or later, and downstream distributions such as Gentoo have issued corresponding advisories recommending prompt upgrades.

The associated EPSS score rose from lower values after disclosure to a peak of 0.5254 on 2025-12-18 before receding to the current 0.3766, indicating renewed exploitation interest well after the initial publication.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 99.0.4844.84

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (Chrome 99.0.4844.84+) that eliminates the V8 type-confusion flaw before exploitation.

preventdetect

Requires integrity verification of browser executables/libraries, blocking or detecting execution of an unpatched, vulnerable Chrome binary.

prevent

Mandates memory-protection mechanisms that can block or contain the heap corruption resulting from successful type confusion in V8.

References