CVE-2022-2856
Published: 26 September 2022
Summary
CVE-2022-2856 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 12.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-2856 is an insufficient input validation flaw affecting the handling of Intents in Google Chrome on Android in versions prior to 104.0.5112.101. The issue stems from inadequate checks on untrusted input, which can be supplied through a crafted HTML page, and is tracked under CWE-20 with a CVSS 3.1 base score of 6.5.
A remote attacker can exploit the vulnerability by convincing a user to visit a malicious web page, after which Chrome can be directed to load an arbitrary destination URL without proper validation. Successful exploitation allows the attacker to force the browser to navigate to attacker-controlled sites, potentially facilitating phishing or further malicious redirects while bypassing intended navigation restrictions.
Chrome stable channel updates released in August 2022 address the flaw by correcting Intent validation logic; users are advised to upgrade to version 104.0.5112.101 or later. Corresponding fixes were also reflected in downstream distributions such as Fedora package updates.
EPSS scores for the CVE remained low after initial disclosure but rose materially to a peak of 0.1137 in December 2024 before receding, indicating renewed exploitation interest well after the original publication date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-35090
Vulnerability details
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 18 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs before processing, which would have blocked the crafted Intent data that allowed arbitrary navigation.
Mandates timely remediation of identified flaws such as the input-validation weakness fixed in Chrome 104.0.5112.101.
Enforces policy-based control over information flows (Intents), limiting unauthorized navigation to attacker-chosen destinations.