Cyber Resilience

CVE-2022-4262

HighCISA KEVActive ExploitationEUVD Exploited

Published: 02 December 2022

Published
02 December 2022
Modified
24 October 2025
KEV Added
05 December 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0856 92.6th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4262 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2022-4262 is a type confusion vulnerability in the V8 JavaScript engine of Google Chrome versions prior to 108.0.5359.94. The flaw, tracked as CWE-843, can result in heap corruption when a victim processes a crafted HTML page.

A remote attacker can trigger the issue by serving malicious web content that the target visits, enabling potential exploitation of memory corruption to achieve impacts rated at CVSS 8.8 for confidentiality, integrity, and availability.

Chrome stable channel updates published on December 2, 2022, resolve the issue by advancing to version 108.0.5359.94 or newer. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog.

The associated EPSS score has remained flat at 0.0856 with no material rise after disclosure.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
05 December 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 108.0.5359.94

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (Chrome 108.0.5359.94+) that eliminates the type-confusion flaw in V8.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes untrusted mobile code (JavaScript) that an attacker must deliver via a crafted HTML page to trigger the V8 flaw.

prevent

Enforces memory-protection mechanisms that can block or contain the heap corruption resulting from successful type confusion in V8.

References