CVE-2022-1135: 
vulnerability analysis and mitigation

CVE-2022-1135 is a Use-after-free vulnerability discovered in the Shopping Cart feature of Google Chrome versions prior to 100.0.4896.60. The vulnerability was reported on January 9, 2022, by Wei Yuan of MoyunSec VLab and was assigned a CVSS v3.1 base score of 8.8 (HIGH) (NVD, Chrome Release).

The vulnerability is classified as CWE-416 (Use After Free) and received a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges but does need user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows a remote attacker to potentially exploit heap corruption through standard feature user interaction, which could lead to arbitrary code execution. Given the high CVSS score and impact ratings for confidentiality, integrity, and availability, successful exploitation could result in significant system compromise (NVD).

The vulnerability was patched in Google Chrome version 100.0.4896.60. Users and organizations are advised to update to this version or later to mitigate the risk. The fix was also incorporated into various downstream distributions, including Debian and Gentoo (Gentoo Advisory).