CVE-2022-0978: 
vulnerability analysis and mitigation

Use after free vulnerability in ANGLE (Almost Native Graphics Layer Engine) component was discovered in Google Chrome versions prior to 99.0.4844.74. The vulnerability was reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on February 20, 2022, and was assigned CVE-2022-0978. This security flaw could allow a remote attacker to potentially exploit heap corruption through a specially crafted HTML page (Chrome Release).

The vulnerability is classified as a Use-After-Free (UAF) weakness (CWE-416) in the ANGLE component of Chrome. It received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and user interaction required for exploitation (NVD).

If successfully exploited, this vulnerability could lead to heap corruption, potentially allowing an attacker to execute arbitrary code within the context of the browser. The high CVSS score indicates that the vulnerability could compromise system confidentiality, integrity, and availability (NVD).

Google addressed this vulnerability in Chrome version 99.0.4844.74. Users and administrators are advised to upgrade to this version or later to mitigate the risk. The fix was also incorporated into other Chromium-based browsers and products, including Debian distributions and Gentoo Linux (Gentoo Advisory).