Cyber Resilience

CVE-2022-4906

HighPublic PoC

Published: 29 July 2023

Published
29 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3529 97.2th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4906 is a high-severity an unspecified weakness vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-4906 is an inappropriate implementation flaw in the Blink rendering engine of Google Chrome versions prior to 108.0.5359.71. The vulnerability received a CVSS 3.1 score of 8.8 and was rated High severity by the Chromium project.

A remote attacker can exploit the issue by serving a crafted HTML page to a victim; successful exploitation grants arbitrary read and write access within the renderer process, which under the supplied CVSS vector requires no privileges but does need user interaction.

Chrome stable channel updates released on 29 November 2022 address the flaw by advancing the browser to version 108.0.5359.71. Downstream distributions such as Fedora have published corresponding package updates that pull in the same fix.

The EPSS score for the CVE stands at 0.3529 with an identical recorded peak, indicating moderate but stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

Inappropriate implementation in Blink in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 108.0.5359.71

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References