CVE-2022-4178
Published: 30 November 2022
Summary
CVE-2022-4178 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-4178 is a use-after-free vulnerability in the Mojo component of Google Chrome versions prior to 108.0.5359.71, assigned CWE-416 and rated high severity with a CVSS 3.1 score of 8.8. The flaw resides in the renderer process and can lead to heap corruption when triggered by a specially crafted HTML page.
An attacker who has already compromised the renderer process can exploit the issue remotely by serving a malicious web page, potentially achieving further memory corruption that could be leveraged for code execution or other impacts within the affected browser instance.
Chrome stable channel updates released on 29 November 2022 address the flaw by advancing the browser to version 108.0.5359.71; downstream distributions such as Gentoo have issued corresponding GLSA advisories recommending prompt upgrades to patched Chrome builds.
EPSS for the CVE rose from lower values to a peak of 0.0845 on 2025-12-11 before receding to the current 0.0455, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51539
Vulnerability details
Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.