Cyber Resilience

CVE-2022-1364

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 July 2022

Published
26 July 2022
Modified
24 October 2025
KEV Added
15 April 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1751 95.2th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1364 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2022-1364 is a type confusion vulnerability (CWE-843) in the V8 Turbofan component of Google Chrome versions prior to 100.0.4896.127. The flaw resides in the JavaScript engine's optimization pipeline and can be triggered by a specially crafted HTML page, resulting in heap corruption.

A remote attacker can exploit the issue by convincing a user to visit a malicious web page. Successful exploitation grants the attacker the ability to corrupt memory and achieve high-impact effects on confidentiality, integrity, and availability without requiring authentication.

Chrome release notes and the associated Gentoo advisory direct users to apply the stable-channel update that resolves the issue in version 100.0.4896.127 and later.

The EPSS score rose materially from lower values to a peak of 0.3373 on 2024-12-17 before receding to the current 0.1751, indicating renewed exploitation interest well after disclosure.

EU & UK References

Vulnerability details

Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
15 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 100.0.4896.127

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (Chrome 100.0.4896.127+) that eliminates the type-confusion flaw in V8 Turbofan.

SC-18 Mobile Code partial match
prevent

Defines policy and technical restrictions on mobile code (JavaScript) execution, limiting the attack surface that a crafted HTML page can exploit.

prevent

Enforces memory-protection mechanisms that can reduce the likelihood of successful heap corruption resulting from the type-confusion condition.

References