CVE-2022-4906
Published: 29 July 2023
Summary
CVE-2022-4906 is a high-severity an unspecified weakness vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-4906 is an inappropriate implementation flaw in the Blink rendering engine of Google Chrome versions prior to 108.0.5359.71. The vulnerability received a CVSS 3.1 score of 8.8 and was rated High severity by the Chromium project.
A remote attacker can exploit the issue by serving a crafted HTML page to a victim; successful exploitation grants arbitrary read and write access within the renderer process, which under the supplied CVSS vector requires no privileges but does need user interaction.
Chrome stable channel updates released on 29 November 2022 address the flaw by advancing the browser to version 108.0.5359.71. Downstream distributions such as Fedora have published corresponding package updates that pull in the same fix.
The EPSS score for the CVE stands at 0.3529 with an identical recorded peak, indicating moderate but stable exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52160
Vulnerability details
Inappropriate implementation in Blink in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.