Cyber Resilience

CVE-2022-3075

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 26 September 2022

Published
26 September 2022
Modified
24 October 2025
KEV Added
08 September 2022
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0212 84.5th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3075 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 15.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2022-3075 is an insufficient data validation flaw in the Mojo component of Google Chrome versions prior to 105.0.5195.102. It is assigned CWE-20 and carries a CVSS 3.1 score of 9.6, reflecting its high severity for confidentiality, integrity, and availability impacts under network attack vectors.

An attacker who has already compromised the renderer process can supply a specially crafted HTML page to attempt escape from Chrome's sandbox, potentially gaining broader access to the underlying system.

Public advisories, including the Chrome stable channel update and downstream notices from Fedora and Gentoo, direct users to upgrade immediately to version 105.0.5195.102 or later; no additional configuration changes or workarounds are specified.

EPSS scores have remained low, with a current value of 0.0212 and a peak of 0.0299.

EU & UK References

Vulnerability details

Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CWE(s)
KEV Date Added
08 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 105.0.5195.102
fedoraproject
fedora
37

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of input data, which would have blocked the crafted HTML page from triggering the Mojo sandbox escape.

prevent

Mandates process isolation boundaries that contain a compromised renderer and prevent escape to the host system.

prevent

Enforces access-control decisions between the renderer and system resources, limiting the impact of a successful Mojo validation bypass.

References