CVE-2022-1096
Published: 23 July 2022
Summary
CVE-2022-1096 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2022-1096 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 99.0.4844.84. The flaw, tracked under CWE-843, can result in heap corruption when processing specially crafted input.
A remote attacker can exploit the issue by convincing a target to visit a malicious HTML page, achieving high impact on confidentiality, integrity, and availability without requiring authentication or user privileges beyond normal browser interaction.
Chrome stable channel updates released on March 25, 2022, address the vulnerability by advancing the browser to version 99.0.4844.84 or later, and downstream distributions such as Gentoo have issued corresponding advisories recommending prompt upgrades.
The associated EPSS score rose from lower values after disclosure to a peak of 0.5254 on 2025-12-18 before receding to the current 0.3766, indicating renewed exploitation interest well after the initial publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24439
Vulnerability details
Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (Chrome 99.0.4844.84+) that eliminates the V8 type-confusion flaw before exploitation.
Requires integrity verification of browser executables/libraries, blocking or detecting execution of an unpatched, vulnerable Chrome binary.
Mandates memory-protection mechanisms that can block or contain the heap corruption resulting from successful type confusion in V8.