Voyager18 (research)

How to fix CVE-2022-1096

CVE-2022-1096 was acknowledged by Google on March 25th, but the company did not provide extensive details about the vulnerability. Here’s everything you need to know. 

Lior Ben Dayan | March 27, 2022

A new zero-day vulnerability – this time targeting all Chromium-based browsers – has emerged recently, with Google issuing an emergency update to affected users. CVE-2022-1096 was acknowledged by Google on March 25th, but the company did not provide extensive details about the vulnerability.

Here’s everything you need to know. 

What is the CVE-2022-1096 vulnerability?

After the recent reports of exploitation of Chrome’s CVE-2022-0609 by North Korean actors against the United States, Google has issued a critical security update for all Chrome users, urging them to update as soon as possible.

Without much information about the vulnerability, except its general description – Type Confusion in V8 – it is quite hard to understand the practical details of  the vulnerability and how it can be triggered.

V8 is Google’s JavaScript engine that is written in C++. 

Type confusion attacks in low-level and unsafe-memory access languages such as C or C++ are related to interpretation of the same variable or memory location in multiple unsafe ways and can lead to out-of-bound memory access. An example of this is illegal down-casting of a parent object to one of its child objects.

Does it affect me?

Your browser? Probably yes. 

This vulnerability affects all Chromium-based browsers which use V8 engine. It means that other browsers are about to be vulnerable too (Edge, Opera, Vivaldi etc.) .

Microsoft also released their own Microsoft Edge update, saying this CVE relates to Chromium Open Source Software.

The bottom line is that V8 is a JavaScript engine, and can  be used by JavaScript servers (NodeJS uses V8) or C++ softwares that require JavaScript runtime environments for interpretation and embed the V8 engine. 

But even if V8 is used in a software, it is still hard to say if it is feasible to exploit it.

Has CVE-2022-1096 been actively exploited in the wild?

Google is aware that an exploit for CVE-2022-1096 exists in the wild.”

This quote from Google’s update says it all – exploits exist and are probably also used in the wild.

Moreover, researchers are not waiting for more details and are already looking for interesting Google commits in the V8 git repository. For instance, a2ca…0fb7 or 0981…ffdc appear relevant to the issue due to their description, but there could be others.

This approach of looking for changes in open source repositories is a tried and tested way for malicious actors to weaponize themselves despite Google’s holding back of information and unwillingness to release their own exploits.

Fixing CVE-2022-1096

Look for your vendors’ references and updates immediately – Google and Microsoft already released their update.

As we depend more on and grow our technologies, vulnerabilities will only increase. Get ahead of the game with Vulcan Remedy Cloud – the free, comprehensive resource for everything you need to know about how to fix the latest CVEs.  

The Vulcan Cyber platform is a valuable partner in mitigating the continuing threat of vulnerabilities. See it in action.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy