CVE-2022-3888 An attacker can exploit heap corruption in Google Chrome prior to 107.0.5304.106 to gain remote access.

Note that this issue was only fixed in the current Chromium version. Google Chrome prior to version 107.0.5304.106 had a use after free issue in WebCodecs that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 107.0.5304.106 had a use after free issue in WebProcessProxy that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 107.0.5304.106 had a use after free issue in V8 that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 107.0.5304.106 had a use after free issue in WebSockets that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 107.0.5304.106 had a use after free issue in Skia render process that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 107.0.5304.106 had a use after free issue in extensions that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 107.0.5304.106 had a use after free issue in WebGL that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 107.0.5304.106 had a

Vulnerability Scenario

An attacker has submitted a malicious HTML page to your website. When this page is loaded, a use after free issue in WebGL allows the attacker to potentially exploit heap corruption via a crafted HTML page.

Google Chrome prior to version 76.0.3809.81 had a heap buffer overflow vulnerability in PDFium

Google Chrome prior to version 76.0.3809.81 had a use after free vulnerability in PDFium that allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. Google Chrome prior to version 76.0.3809.81 had a use after free vulnerability in WebRTC that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 76.0.3809.81 had a use after free vulnerability in JIT code that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google Chrome prior to version 76.0.3809.81 had an arbitrary write vulnerability in MediaKeys that allowed an attacker with local access to potentially exploit heap corruption via JavaScript code using the MediaKeys API on Windows, macOS, Linux and ChromeOS platforms.

Timeline

Published on: 11/09/2022 04:15:00 UTC
Last modified on: 11/14/2022 15:15:00 UTC

References

• https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop.html
• https://crbug.com/1375059
• https://www.debian.org/security/2022/dsa-5275
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3888