CVE-2022-1364

What is Chromium V8?

V8 is Google's JavaScript and WebAssembly engine used in all Chromium-based browsers. V8 type confusion vulnerabilities are particularly impactful because they can be triggered from any web page through JavaScript, enabling renderer process code execution without user interaction beyond visiting a malicious page.

Overview

CVE-2022-1364 is a high-severity type confusion vulnerability (CWE-843, CVSS 8.8) in Google Chromium's V8 JavaScript engine — the fourth Chrome zero-day of 2022. An attacker can achieve heap corruption via a crafted HTML page, enabling code execution in the renderer process. Google confirmed active in-the-wild exploitation when releasing the emergency patch on April 14, 2022. CISA added to KEV the following day. The vulnerability affects all Chromium-based browsers.

Affected Versions

Technical Details

Like CVE-2022-1096 (March 2022), CVE-2022-1364 is a type confusion (CWE-843) in V8. The vulnerability allows an attacker to craft JavaScript that causes V8's type tracking system to incorrectly identify an object's type, enabling out-of-bounds memory access.

V8 uses "hidden classes" (also called Maps) to track the structure and type of JavaScript objects for optimization. A type confusion occurs when the JIT compiler or object system transitions an object to a new hidden class while an existing reference still believes the object has the previous type. Subsequent property accesses or method calls through the stale reference then operate on memory at incorrect offsets, enabling controlled read/write primitives outside the intended object boundaries.

An attacker constructs a sequence of JavaScript operations that reliably triggers this type state inconsistency, then uses the resulting memory access primitive to corrupt heap structures and ultimately redirect code execution in the renderer process.

Discovery

Reported to Google by Clément Lecigne of Google's Threat Analysis Group (TAG). TAG's discovery (an internal Google researcher finding an actively exploited zero-day) indicates the vulnerability was being used in targeted attacks that TAG detected through threat intelligence, rather than through routine fuzzing or external researcher disclosure.

Exploitation Context

Four Chrome zero-days in the first four months of 2022 (CVE-2022-0609, CVE-2022-26485, CVE-2022-1096, CVE-2022-1364) reflects sustained investment by sophisticated threat actors in V8 and renderer vulnerabilities. The pattern observed across 2022 Chrome zero-days:

• Predominantly attributed to nation-state actors (DPRK, Russia, others) or commercial exploit vendors
• Used in targeted campaigns against high-value individuals (journalists, political figures, government employees, fintech/crypto workers)
• Typically deployed as part of full exploit chains (renderer escape + sandbox bypass) for complete device compromise
• Discovered by Google TAG through active threat hunting rather than passive bug reports

The frequency suggests either multiple independent nation-state programs investing in Chrome exploitation simultaneously, or a shared exploit broker supply chain.

Remediation

1. Update Chrome to 100.0.4896.127 or later: Verify in Help > About Google Chrome.
2. Update all Chromium-based browsers: Edge, Brave, Opera, and others require separate updates.
3. Enable automatic updates: Ensure browsers auto-update for future emergency patches.
4. Enterprise patch controls: Push browser updates to managed endpoints outside standard patch cycles for zero-days with active exploitation.