CVE-2022-4135
Published: 25 November 2022
Summary
CVE-2022-4135 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).
Operationally, ranked at the 23.4th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a heap buffer overflow in the GPU component of Google Chrome versions prior to 107.0.5304.121, classified under CWE-787 as an out-of-bounds write. It resides in the browser's graphics processing path and carries a CVSS 3.1 score of 9.6 reflecting network attack vector, low complexity, and high impact across confidentiality, integrity, and availability when chained with a renderer compromise.
An attacker who has already gained control of the renderer process can deliver a crafted HTML page to trigger the flaw and attempt a sandbox escape, potentially gaining broader access to the underlying system.
Chrome release notes and the associated Gentoo advisory direct users to update immediately to version 107.0.5304.121 or later; the fix was shipped in the stable channel on 24 November 2022.
The EPSS score rose materially from a low baseline to a peak of 0.1960 on 2025-01-18 before receding, indicating that exploitation interest emerged well after disclosure and that the CVE merits renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7297
Vulnerability details
Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 28 November 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (Chrome 107.0.5304.121+) that eliminates the heap buffer overflow.
Mandates memory-protection safeguards that block exploitation of out-of-bounds writes in the GPU heap.
Enforces process isolation between renderer and GPU/sandbox boundaries, limiting the impact of a successful escape.