CVE-2022-4437: 
vulnerability analysis and mitigation

A Use-after-free vulnerability in Mojo IPC was discovered in Google Chrome versions prior to 108.0.5359.124. The vulnerability was reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on November 30, 2022, and was officially disclosed on December 13, 2022. This security flaw affects all versions of Google Chrome before the patched version (Chrome Release).

The vulnerability is classified as a Use-after-free (CWE-416) issue specifically affecting the Mojo IPC component in Google Chrome. It received a CVSS v3.1 base score of 8.8 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely with low attack complexity, requires no privileges but does need user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page, which could lead to arbitrary code execution within the context of the browser. The high CVSS score indicates severe potential impacts on system security, including the possibility of complete compromise of the affected browser instance (NVD).

The vulnerability was patched in Chrome version 108.0.5359.124 for Mac and Linux, and 108.0.5359.124/.125 for Windows. Users are strongly advised to update their Chrome browsers to this version or later to mitigate the risk. The fix was also incorporated into various downstream projects and distributions, including Debian and Gentoo (Chrome Release, Gentoo Advisory).