CVE-2022-4135 Overview
CVE-2022-4135 is a heap buffer overflow vulnerability in the GPU component of Google Chrome prior to version 107.0.5304.121. A remote attacker who has already compromised the renderer process can exploit this flaw to perform a sandbox escape using a crafted HTML page. Google acknowledged exploitation in the wild, and CISA added the issue to its Known Exploited Vulnerabilities catalog. The vulnerability also affects Chromium-based browsers, including Microsoft Edge. The flaw is classified under CWE-787 (Out-of-bounds Write).
Critical Impact
Successful exploitation allows an attacker to escape the Chrome renderer sandbox, leading to code execution outside the browser's security boundary on the host system.
Affected Products
- Google Chrome prior to 107.0.5304.121
- Microsoft Edge (Chromium-based)
- Microsoft Edge Chromium
Discovery Timeline
- 2022-11-25 - CVE-2022-4135 published to NVD
- 2022-11-24 - Google releases stable channel update for Desktop addressing the flaw
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2022-4135
Vulnerability Analysis
The vulnerability is a heap buffer overflow in Chrome's GPU process. The GPU process handles accelerated graphics operations such as canvas rendering, WebGL, and compositing on behalf of renderer processes. Because the GPU process runs at a higher privilege level than the sandboxed renderer, a memory corruption flaw in this component becomes a viable target for sandbox escape.
A remote attacker who has already achieved code execution inside a renderer through a separate vulnerability can leverage CVE-2022-4135 to corrupt heap memory in the GPU process. By manipulating GPU-bound IPC messages from the compromised renderer, the attacker writes beyond the bounds of a heap-allocated buffer. This out-of-bounds write [CWE-787] enables control of adjacent heap structures and, ultimately, control flow in a less-restricted process.
Root Cause
The root cause is improper bounds checking on a heap-allocated buffer in the GPU component. Crafted input causes the component to write past the buffer's allocated size. The condition meets the definition of an out-of-bounds write and is tracked in the upstream Chromium bug 1392715.
Attack Vector
Exploitation requires the attacker to first compromise the Chrome renderer process, typically through a separate renderer-side vulnerability triggered by a crafted HTML page. From that foothold, the attacker sends malicious data to the GPU process to trigger the overflow. User interaction is required: the victim must load attacker-controlled content in the browser. The flaw is confirmed exploited in the wild and is tracked in the CISA Known Exploited Vulnerabilities Catalog.
No public proof-of-concept code is available, and Google has restricted access to technical details in the upstream bug tracker to limit exposure.
Detection Methods for CVE-2022-4135
Indicators of Compromise
- Chrome or Edge browser versions earlier than 107.0.5304.121 running in the environment
- Unexpected crashes or restarts of the Chrome GPU process (chrome.exe --type=gpu-process) preceding suspicious child process activity
- Browser processes spawning shells, scripting hosts, or other living-off-the-land binaries
- Outbound connections from browser child processes to uncategorized or newly registered domains
Detection Strategies
- Inventory installed browser versions across managed endpoints and flag hosts running Chrome or Chromium-based Edge below the patched build
- Monitor for anomalous process lineage where chrome.exe or msedge.exe GPU subprocesses are followed by suspicious child processes
- Correlate browser crash telemetry with subsequent network or file system anomalies that suggest post-exploitation activity
- Hunt for HTML, JavaScript, or WebGL payloads delivered from phishing campaigns referencing CISA KEV-listed Chrome flaws
Monitoring Recommendations
- Enable centralized logging of process creation events with full command lines for browser processes
- Track GPU process crash dumps and integrate them with endpoint identification telemetry for retrospective hunts
- Apply application allowlisting controls to prevent browser child processes from launching interpreters or system utilities
- Monitor DNS and HTTP egress from browser processes for connections to known exploit-delivery infrastructure
How to Mitigate CVE-2022-4135
Immediate Actions Required
- Update Google Chrome to version 107.0.5304.121 or later on all Windows, macOS, and Linux endpoints
- Update Microsoft Edge to the corresponding Chromium-based release that incorporates the upstream fix
- Force-restart browser sessions after deployment to ensure the patched binaries are loaded into memory
- Prioritize remediation on systems that browse untrusted content, given the CISA KEV listing
Patch Information
Google released the fix in the stable channel update announced on the Chrome Releases blog. Linux distribution maintainers shipped corresponding updates, including the Gentoo GLSA 202305-10 advisory. The Chromium tracking issue is recorded as crbug.com/1392715.
Workarounds
- No vendor-supplied workaround exists; patching is the only supported remediation
- Restrict browsing to trusted sites via web proxy or DNS filtering until patches are deployed
- Deploy browser management policies that enforce automatic updates and disable update deferral
- Reduce the attack surface by disabling unnecessary GPU-accelerated features in managed browser configurations where feasible
# Verify Chrome version on Windows endpoints
reg query "HKLM\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv
# Verify Chrome version on Linux endpoints
google-chrome --version
# Enforce minimum version via Chrome Enterprise policy (Linux example)
cat <<EOF > /etc/opt/chrome/policies/managed/min_version.json
{
"TargetVersionPrefix": "107.0.5304.121"
}
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
