Exploitation Summary
CVE-2022-2856 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 18, 2022.
Description
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
References (4)
Core 4
Core References
Patch, Release Notes, Vendor Advisory x_refsource_misc
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
Exploit, Issue Tracking, Mailing List, Vendor Advisory x_refsource_misc
https://crbug.com/1345630
Mailing List vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-2856
Scores
CVSS v3
6.5
EPSS
0.0330
EPSS Percentile
87.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
partial
Details
CISA KEV
2022-08-18
VulnCheck KEV
2022-07-19
InTheWild.io
2022-07-19
ENISA EUVD
EUVD-2022-35090
CWE
CWE-20
Status
published
Products (2)
fedoraproject/fedora
37
google/chrome
< 104.0.5112.101
Published
Sep 26, 2022
KEV Added
Aug 18, 2022
Tracked Since
Feb 18, 2026