What is Google Chromium GPU?
Google Chromium uses a multi-process architecture where GPU acceleration is handled by a dedicated GPU process, separate from the renderer and browser processes. The GPU process handles hardware-accelerated rendering, compositing, and WebGL/WebGPU operations on behalf of renderer processes. Like other Chromium helper processes, the GPU process runs at a higher privilege level than the renderer sandbox — meaning a vulnerability that allows a compromised renderer to exploit the GPU process can achieve a sandbox escape, converting a sandboxed renderer compromise into full OS-level code execution.
Overview
CVE-2022-4135 is a critical heap buffer overflow vulnerability (CWE-787, CVSS 9.6) in the GPU component of Google Chromium. An attacker who has achieved code execution in the renderer process can trigger a heap buffer overflow in the GPU process, potentially enabling a sandbox escape. Google confirmed active in-the-wild exploitation when releasing the emergency fix on November 24, 2022 — the seventh and final Chrome zero-day of 2022, a record year for Chrome zero-day exploitation. The vulnerability affects all Chromium-based browsers including Chrome, Edge, Opera, and Brave.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome | Before 107.0.5304.87 (Linux) / 107.0.5304.87/.88 (Windows/Mac) | 107.0.5304.87/.88 |
| Microsoft Edge | Corresponding pre-patch version | Subsequent patched Edge update |
| Opera, Brave, and other Chromium-based browsers | Affected versions | Subsequent patched builds |
Technical Details
The vulnerability (CWE-787: Out-of-bounds Write) is a heap buffer overflow in the GPU process's rendering pipeline. A heap buffer overflow occurs when more data is written to a heap-allocated buffer than its allocated size allows, overwriting adjacent heap memory.
In the Chromium GPU process, incoming GPU commands from renderer processes are processed to perform hardware rendering operations. A specially crafted sequence of GPU commands (generated by attacker-controlled WebGL or Canvas API calls from a malicious web page) can trigger an allocation of a GPU command buffer of an incorrect size, followed by a write of data beyond that allocation's bounds.
The attacker exploits the heap overflow to corrupt heap metadata or adjacent objects, ultimately redirecting code execution within the GPU process. Since the GPU process operates outside the renderer sandbox, achieving code execution there provides a partial or full sandbox escape depending on the GPU process's privilege level.
The practical exploitation chain is:
- Compromise renderer via a separate renderer vulnerability
- Send crafted GPU commands via the IPC to the GPU process
- Trigger the heap overflow to corrupt GPU process memory
- Achieve code execution in the GPU process (outside renderer sandbox)
Discovery
Reported to Google by an anonymous researcher. Google's advisory acknowledged active in-the-wild exploitation — indicating the vulnerability was already being used in targeted attacks before Google discovered and patched it. This pattern (anonymous report + confirmed in-the-wild exploitation) suggests the reporter may have encountered an ongoing attack rather than discovering the bug independently.
Exploitation Context
CVE-2022-4135 was the seventh Chrome zero-day of 2022, a historically high number that reflects sustained investment in Chromium vulnerability research by organized threat actors. Browser zero-days are primarily used in:
- Nation-state targeted attacks: Government-sponsored APT groups use browser exploit chains against journalists, activists, government contractors, and defense organizations via phishing links or watering hole attacks
- Commercial exploit development: Offensive security vendors and zero-day brokers maintain browser exploit chains for government intelligence customers
- High-value criminal operations: Some organized crime groups invest in browser exploits for financial sector targeting
The frequency of Chrome zero-days in 2022 (and subsequent years) drives Google's investment in browser isolation technologies like Site Isolation, V8 sandboxing, and MiraclePtr (a use-after-free mitigation), acknowledging that renderer compromises are a realistic first step in browser exploit chains.
Remediation
- Update Chrome immediately: Install Chrome 107.0.5304.87/.88 or later. Chrome auto-updates — verify version in Help > About Google Chrome.
- Update all Chromium-based browsers: Microsoft Edge, Brave, Opera, and other Chromium-based browsers contain the same GPU code and require their own patched updates. Check each browser's update channel separately.
- Enable automatic updates: Ensure all browsers auto-update to receive future emergency patches promptly.
- Enterprise patch deployment: Use Intune, SCCM, or MDM to push emergency browser updates to managed endpoints outside normal patch cycle schedules for zero-days with confirmed in-the-wild exploitation.
- Monitor for post-exploitation indicators: Browser sandbox escapes are typically followed by payload deployment. Monitor for unexpected processes spawned by browser processes on sensitive endpoints.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-4135 |
| Vendor / Product | Google — Chromium GPU |
| NVD Published | 2022-11-25 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.6 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2022-11-28 |
| CISA KEV Deadline | 2022-12-19 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-11-24 | Google released Chrome 107.0.5304.87/.88 with emergency fix; confirmed in-the-wild exploitation |
| 2022-11-25 | CVE published |
| 2022-11-28 | CISA added to KEV |
| 2022-12-19 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-4135 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Chrome Stable Channel Update — November 24, 2022 | Vendor Advisory |