CVE-2022-2856

What are Chromium Intents?

Intents are a URI scheme (e.g., intent://...) originally designed for Android that allows web content to launch native Android applications by specifying an app, action, and data. Chromium's desktop implementation of Intents — carried over from the Android codebase — allows web pages to trigger the opening of registered URL protocol handlers and applications on the host system. Because Intents can bridge web content to native application execution, insufficient validation of Intent URIs represents a significant security boundary between the browser sandbox and the underlying OS.

Overview

CVE-2022-2856 is an insufficient input validation vulnerability in the Intents handler of Google Chrome and other Chromium-based browsers. A remote attacker can craft a malicious web page containing a specially constructed Intent URI that bypasses Chrome's validation checks, causing the browser to trigger application launches or navigate to potentially dangerous destinations without proper security enforcement. Google patched this as an actively exploited zero-day in Chrome 104.0.5112.101 on August 16, 2022; CISA added it to KEV two days later.

Affected Versions

Technical Details

The vulnerability lies in Chrome's handling of intent:// URIs embedded in web content. Chrome's Intent processing code failed to adequately validate the scheme, host, or parameters of Intent URIs before acting on them. A crafted Intent URI could cause Chrome to:

• Launch registered protocol handlers with attacker-controlled parameters

• Navigate to content in a manner that bypasses the browser's usual origin/security checks

• Trigger application execution paths outside the Chrome sandbox

• Attack vector: Network — victim visits a malicious web page or clicks a crafted link

• User interaction: Required — victim must visit the attacker's page (though no additional clicks required once on the page)

• No authentication required: Any web page can embed the malicious Intent URI

• Scope: Integrity impact — ability to influence application launch outside browser's intended security perimeter

Discovery

Reported by Ashley Shen and Christian Resell of Google's Threat Analysis Group (TAG). The reporters are members of the team that tracks government-backed attackers and zero-day exploitation, indicating the vulnerability was observed being used in active targeted attacks before Google developed the patch.

Exploitation Context

The combination of Google TAG discovery and same-week CISA KEV addition strongly indicates this was exploited by a sophisticated threat actor — likely a government-nexus group targeting high-value individuals — before the patch was available. Chrome zero-days discovered by TAG are characteristically associated with nation-state surveillance operations against journalists, dissidents, and government officials. The rapid CISA response (48 hours from patch to KEV) is consistent with confirmed in-the-wild exploitation.

Remediation

1. Update Chrome to version 104.0.5112.101 or later immediately
2. Update all Chromium-based browsers (Microsoft Edge, Opera, Brave, etc.) to their corresponding patched versions
3. Enable automatic Chrome updates to ensure rapid zero-day patching
4. Restrict use of unapproved browser extensions that could expand the attack surface
5. For high-risk users: consider Chrome Enhanced Safe Browsing mode