8.8
CVSSv3

CVE-2022-0609

Published: 05/04/2022 Updated: 08/04/2022
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Use after free in Animation in Google Chrome before 98.0.4758.102 allowed a remote malicious user to potentially exploit heap corruption via a crafted HTML page.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

google chrome

Vendor Advisories

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure For the stable distribution (bullseye), these problems have been fixed in version 9804758102-1~deb11u1 We recommend that you upgrade your chromium packages For the detailed security status of ...
The Stable channel has been updated to 9804758102 for Windows, Mac and Linux which will roll out over the coming days/weeks Extended stable channel has also been updated to 9804758102 for Windows and Mac which will roll out over the coming days/weeksA full list of changes in this build is available in the log Interested in switching release ...
LTS-96 has been updated in the LTS channel to 9604664202 (Platform Version: 14268770) for most ChromeOS devices Want to know more about Long-term Support? Click here This update includes the following Security fixes:1295786  High  CVE-2022-0796 uaf in blink::MediaInspectorContextImpl::CullPlayers(blink::Web ...

Github Repositories

Current Incidents Activity Last Updated 18/02/2022 12:34:27 A daily updated summary of the most frequent types of security incidents currently being reported from different sources CERT-FR Title Description Date Multiples vulnérabilités dans le noyau Linux d’Ubuntu De multiples vulnérabilités ont été découvertes dan

Recent Articles

Google Patches Chrome’s Fifth Zero-Day of the Year
Threatpost • Elizabeth Montalbano • 18 Aug 2022

Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel update released Wednesday.
The bug, tracked as CVE-2022-2856 and rated as high on the Common Vulnerability Scoring System (CVSS), is associated with “insufficient validation of untrusted input in Intents,” according to the advisory posted by Google.
Google credits Ashley Shen and Christian Resell of its Google Threat Analys...

IT threat evolution in Q2 2022. Non-mobile statistics
Securelist • AMR • 15 Aug 2022

IT threat evolution in Q2 2022
IT threat evolution in Q2 2022. Non-mobile statistics
IT threat evolution in Q2 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q2 2022:

Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
...

Google Patches Actively Exploited Chrome Bug
Threatpost • Elizabeth Montalbano • 05 Jul 2022

While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.
Chrome 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the bro...

IT threat evolution in Q1 2022. Non-mobile statistics
Securelist • AMR • 27 May 2022

IT threat evolution in Q1 2022
IT threat evolution in Q1 2022. Non-mobile statistics
IT threat evolution in Q1 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q1 2022:

Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.
...

Google Chrome Zero-Day Bugs Exploited Weeks Ahead of Patch
Threatpost • Elizabeth Montalbano • 25 Mar 2022

North Korean threat actors exploited a remote code execution (RCE) zero-day vulnerability in Google’s Chrome web browser weeks before the bug was discovered and patched, according to researchers.
Google Threat Analysis Group (TAG) discovered the flaw, tracked as CVE-2022-0609, on Feb. 10, reporting and patching it four days later as part of an update. Researchers said at the time that an exploit for the flaw–a use-after-free vulnerability in Chrome’s animation component–already exi...

Emergency Google Chrome update fixes zero-day used in attacks
BleepingComputer • Sergiu Gatlan • 25 Mar 2022

Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug exploited in the wild.
"Google is aware that an exploit for CVE-2022-1096 exists in the wild," the browser vendor said in a 
 published on Friday.
The 99.0.4844.84 version is already rolling out worldwide in the Stable Desktop channel, and Google says it might be a matter of weeks until it reaches the entire userbase.
This update was available immedi...

North Korean hackers exploit Chrome zero-day weeks before patch
BleepingComputer • Ionut Ilascu • 24 Mar 2022

North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations.
Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched
(described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean...

Chrome Zero-Day Under Active Attack: Patch ASAP
Threatpost • Lisa Vaas • 15 Feb 2022

Google on Monday issued 11 security fixes for its Chrome browser, including a high-severity zero-day bug that’s actively being jumped on by attackers in the wild.
In a brief update, Google described the weakness, tracked as CVE-2022-0609, as a use-after-free vulnerability in Chrome’s Animation component. This kind of flaw can lead to all sorts of misery, ranging from the corruption of valid data to the execution of arbitrary code on vulnerable systems. Such flaws can also be used to es...

CISA tells federal agencies to patch actively exploited Chrome, Magento bugs
BleepingComputer • Sergiu Gatlan • 15 Feb 2022

The US Cybersecurity and Infrastructure Security Agency (CISA) has added nine new flaws to its collection of actively exploited vulnerabilities, including two recently patched zero-days impacting Google Chrome and Adobe Commerce/Magento Open Source.
The Chrome vulnerability (CVE-2022-0609) is a high severity use after free bug that
or escape the browser's security sandbox on computers running unpatched Chrome versions addressed in Chrome 98.0.4758.102.
Adobe released an emerg...

CISA tells agencies to patch actively exploited Chrome, Magento bugs
BleepingComputer • Sergiu Gatlan • 15 Feb 2022

The US Cybersecurity and Infrastructure Security Agency (CISA) has added nine new flaws to its collection of actively exploited vulnerabilities, including two recently patched zero-days impacting Google Chrome and Adobe Commerce/Magento Open Source.
The Chrome vulnerability (CVE-2022-0609) is a high severity use after free bug that
or escape the browser's security sandbox on computers running unpatched Chrome versions addressed in Chrome 98.0.4758.102.
Adobe released an emerg...

Emergency updates: Adobe, Chrome patch security bugs under active attack
The Register • Thomas Claburn in San Francisco • 01 Jan 1970

Get our weekly newsletter Friends are always telling me ... just be good to free()

Adobe has released an out-of-band security update for Adobe Commerce and Magento Open Source to address active exploitation of a known vulnerability, and Google has an emergency issue, too.
Security Bulletin APSB22-12 fixes CVE-2022-24086, rated 9.8 (critical) out of 10 on the CVSS scale. Adobe has not released details about the issue beyond noting that it involves improper input validation (CWE-20). The software maker says exploitation does not require any special privileges and allows ar...

Google Chrome emergency update fixes zero-day exploited in attacks
BleepingComputer • Lawrence Abrams • 01 Jan 1970

Google has released Chrome 98.0.4758.102 for Windows, Mac, and Linux, to fix a high-severity zero-day vulnerability used by threat actors in attacks.
"Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild," Google said in a 
 released today.
Google states that the Chrome update will roll out over the coming weeks. However, it is possible to install the update immediately simply by going into the 
 > 

Google patches new Chrome zero-day flaw exploited in attacks
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability exploited by attackers in the wild, the fourth Chrome zero-day patched in 2022.
"Google is aware that an exploit for CVE-2022-2294 exists in the wild.," the browser vendor explained in a 
 published on Monday.
The 103.0.5060.114 version is rolling out worldwide in the Stable Desktop channel, with Google saying that it's a matter of days or weeks until it ...

Google issues third emergency fix for Chrome this year
The Register • Jeff Burt • 01 Jan 1970

Get our weekly newsletter The latest patch is aimed at a type confusion vulnerability that is actively being exploited

Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild.
The emergency updates the company issued this week impact the almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi.
It is the third such emergency update Google has had to issue for Chrome this year.
One of the flaws is a type confusion vulnerability trac...