CVE-2022-0609

What is Chromium Animation?

Google Chromium's Animation subsystem handles CSS animations, Web Animations API, and related timing and transition effects within the browser's rendering pipeline. The animation system is part of the Blink rendering engine and runs in the renderer process — the sandboxed process responsible for executing web content. Use-after-free vulnerabilities in the animation engine can be triggered by crafting web pages with specially sequenced animation operations, enabling memory corruption that can lead to code execution within the renderer process.

Overview

CVE-2022-0609 is a high-severity use-after-free vulnerability (CWE-416, CVSS 8.8) in the Animation component of Google Chromium. An attacker can trigger heap corruption by luring a user to a crafted web page, potentially achieving code execution in the renderer process. Google's Threat Analysis Group (TAG) confirmed active exploitation in the wild by North Korean state-sponsored attackers before the patch was released — specifically attributed to DPRK APT groups targeting the fintech, cryptocurrency, and IT sectors. This was the first Chrome zero-day of 2022. Fixed in Chrome 98.0.4758.102.

Affected Versions

Technical Details

A use-after-free (CWE-416) occurs when code continues to use a memory pointer after the object it points to has been freed. In the Chromium Animation subsystem, a sequence of operations involving animation objects — creating, modifying, and destroying animation states — can free an object while a reference to it remains accessible. Subsequent operations that dereference this dangling pointer access freed heap memory.

By crafting a web page that manipulates the browser's Animation API in a specific sequence, an attacker can:

1. Trigger the use-after-free condition in the animation code
2. Control the freed memory's contents through heap spray techniques
3. Redirect execution to attacker-controlled code when the dangling pointer is dereferenced
4. Achieve code execution within the sandboxed Chromium renderer process

To achieve full OS-level code execution, a sandbox escape is typically chained. Google TAG noted that this vulnerability was paired with additional exploits in the full DPRK exploit chain.

Discovery

Discovered by Google's Threat Analysis Group (TAG) while investigating active exploitation by North Korean APT actors. The discovery reflects Google TAG's proactive threat hunting — monitoring targeted attacks against the technology and financial sectors to identify zero-day exploitation before broader harm.

Exploitation Context

Google TAG attributed exploitation of CVE-2022-0609 to North Korean state-sponsored threat actors conducting Operation Dream Job and related DPRK campaigns. Key characteristics:

• Targeting: Employees in cryptocurrency companies, fintech startups, IT/technology firms, and media organizations were targeted with spear-phishing emails containing links to malicious websites hosting the exploit
• Financial motivation: DPRK's cryptocurrency targeting is linked to state-directed revenue generation — the Lazarus Group and related units steal cryptocurrency to fund North Korea's programs
• Exploit chain: The animation UAF was used as part of a full exploit chain enabling complete device compromise
• Scale: Google TAG assessed the campaign targeted "hundreds of individuals" across multiple organizations

DPRK APT groups (including Lazarus Group, APT38, and related units) have been consistently among the most sophisticated users of browser zero-days for financial theft and espionage operations.

Remediation

1. Update Chrome to 98.0.4758.102 or later: Chrome auto-updates — verify in Help > About Google Chrome.
2. Update all Chromium-based browsers: Microsoft Edge, Brave, Opera, and other browsers based on Chromium contain the same animation code.
3. Enable automatic updates: Ensure browsers auto-update to receive future emergency patches.
4. Awareness of targeted phishing: DPRK campaigns typically use LinkedIn and email lures for fintech and crypto employees. Train staff to be suspicious of unsolicited job offers or investment opportunity links.
5. Endpoint detection: Deploy EDR on all endpoints to detect post-exploitation activity; browser zero-days are typically followed by persistent implant installation.