CVE-2024-0222: 
vulnerability analysis and mitigation

CVE-2024-0222 is a Use-after-free vulnerability discovered in ANGLE (Almost Native Graphics Layer Engine) component of Google Chrome versions prior to 120.0.6099.199. The vulnerability was reported by Toan (suto) Pham of Qrious Secure on November 13, 2023, and was disclosed on January 3, 2024 (Chrome Release).

The vulnerability is classified as a Use-after-free (CWE-416) issue in the ANGLE component of Google Chrome. It has received a CVSS v3.1 base score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability requires user interaction and can be exploited through a crafted HTML page when the renderer process has been compromised (NVD).

When successfully exploited, this vulnerability could allow a remote attacker who has compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. Given the high CVSS score, the vulnerability could lead to significant impacts on confidentiality, integrity, and availability of the affected system (NVD).

Google has released version 120.0.6099.199 of Chrome to address this vulnerability. Users and administrators are advised to update to this version or later. The fix has also been incorporated into various distributions including Fedora 38 and 39, and Gentoo Linux (Fedora Update, Gentoo Advisory).