Cyber Resilience

CVE-2022-2856

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 September 2022

Published
26 September 2022
Modified
24 October 2025
KEV Added
18 August 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0330 87.5th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2856 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 12.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-2856 is an insufficient input validation flaw affecting the handling of Intents in Google Chrome on Android in versions prior to 104.0.5112.101. The issue stems from inadequate checks on untrusted input, which can be supplied through a crafted HTML page, and is tracked under CWE-20 with a CVSS 3.1 base score of 6.5.

A remote attacker can exploit the vulnerability by convincing a user to visit a malicious web page, after which Chrome can be directed to load an arbitrary destination URL without proper validation. Successful exploitation allows the attacker to force the browser to navigate to attacker-controlled sites, potentially facilitating phishing or further malicious redirects while bypassing intended navigation restrictions.

Chrome stable channel updates released in August 2022 address the flaw by correcting Intent validation logic; users are advised to upgrade to version 104.0.5112.101 or later. Corresponding fixes were also reflected in downstream distributions such as Fedora package updates.

EPSS scores for the CVE remained low after initial disclosure but rose materially to a peak of 0.1137 in December 2024 before receding, indicating renewed exploitation interest well after the original publication date.

EU & UK References

Vulnerability details

Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.

CWE(s)
KEV Date Added
18 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 104.0.5112.101 · ≤ 104.0.5112.102
fedoraproject
fedora
37

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs before processing, which would have blocked the crafted Intent data that allowed arbitrary navigation.

prevent

Mandates timely remediation of identified flaws such as the input-validation weakness fixed in Chrome 104.0.5112.101.

prevent

Enforces policy-based control over information flows (Intents), limiting unauthorized navigation to attacker-chosen destinations.

References