What is Google Chrome V8?
V8 is Google's open-source JavaScript and WebAssembly engine used in Chrome, Chromium, and all Chromium-derived browsers (Microsoft Edge, Opera, Brave, Samsung Internet, and others). V8 executes JavaScript through a multi-tier compilation pipeline: an interpreter (Ignition), a mid-tier JIT compiler (Maglev), and an optimizing JIT compiler (TurboFan). Type confusion vulnerabilities in V8 arise in the JIT compiler's type inference and optimization system, which tracks the types of JavaScript values to generate optimized machine code. When the type inference is incorrect or can be manipulated by crafted JavaScript, the compiled code performs operations assuming a type that does not match the actual runtime value — producing out-of-bounds heap accesses that an attacker can exploit for code execution inside the renderer process.
Overview
CVE-2022-4262 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine that allows a remote attacker to potentially exploit heap corruption by luring a user to visit a crafted HTML page. Google patched it on December 2, 2022 as Chrome 108.0.5359.94 — the 9th Chrome zero-day of 2022, confirming a year of sustained in-the-wild exploitation of Chrome's JavaScript engine. CISA added it to the KEV catalog 3 days after patching. The vulnerability affects all Chromium-based browsers on the same V8 version, including Microsoft Edge and Opera.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| Google Chrome (all platforms) | Prior to 108.0.5359.94 | 108.0.5359.94 (December 2, 2022) |
| Microsoft Edge | Prior to equivalent Chromium 108 update | Corresponding December 2022 update |
| Other Chromium-based browsers | Based on pre-December 2022 Chromium | Respective vendor updates |
Technical Details
Type confusion (CWE-843) in V8's JIT compiler occurs when TurboFan's type inference system assigns an incorrect type to a JavaScript value and the optimized compiled code relies on that incorrect type annotation. The exploit pattern:
- Craft JavaScript that trains the type inference — execute code in a way that consistently produces a value of type A, causing TurboFan to annotate the value as type A and generate optimized code that assumes type A
- Violate the type assumption — after JIT compilation, trigger a code path that actually produces a value of type B at the same program point; TurboFan's compiled code, still assuming type A, performs operations inappropriate for type B
- Out-of-bounds heap access — the type confusion causes V8 to read or write memory at an offset computed for type A's layout but applied to a type B object, corrupting adjacent heap contents
- Exploit heap corruption — overwrite V8 internal structures (ArrayBuffer backing stores, JIT code pointers, object property maps) to achieve arbitrary read/write in the renderer process address space
- Execute arbitrary code — with arbitrary read/write, redirect V8 execution to attacker shellcode; chain with a sandbox escape to break out of the Chrome renderer sandbox
CVE-2022-4262 was the 9th Chrome zero-day patched by Google in 2022, following CVE-2022-0609, CVE-2022-1096, CVE-2022-1364, CVE-2022-2294, CVE-2022-3075, CVE-2022-3723, CVE-2022-4135, and CVE-2022-4262. This sustained cadence reflects both the high value of Chrome zero-days and the active market for browser exploits.
Discovery
CVE-2022-4262 was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG). Lecigne was a prolific discoverer of browser zero-days in 2022–2023, with credits across multiple Chrome V8 (CVE-2022-4262, CVE-2022-4135) and Apple WebKit zero-days discovered through analysis of exploit chains used against targeted individuals.
Exploitation Context
Chrome V8 type confusion vulnerabilities are among the most valuable browser zero-days: they execute in the Chrome renderer process which, while sandboxed, provides a JavaScript execution environment that can chain with renderer sandbox escapes for full OS compromise. The 9th zero-day designation for 2022 — nearly one per month — reflects sustained investment by commercial surveillance vendors and nation-state actors in Chrome exploitation capability.
All Chromium-based browsers are affected by V8 vulnerabilities, including Microsoft Edge, which runs the same V8 engine. Enterprise environments that have widely deployed Chromium-based browsers face broad exposure when a Chrome V8 zero-day is discovered.
Remediation
- Update Chrome to 108.0.5359.94 or later — apply via Chrome's built-in update: Settings → Help → About Google Chrome.
- Update all Chromium-based browsers — Microsoft Edge, Opera, and other Chromium-based browsers share V8; update them to their December 2022 or later releases.
- Enable automatic browser updates — configure Chrome and Edge to update automatically; zero-day patches require immediate deployment.
- Deploy enterprise browser update compliance — use endpoint management tools (GPO, Intune) to enforce minimum Chrome/Edge version requirements and flag out-of-date browsers across the fleet.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-4262 |
| Vendor / Product | Google — Chromium V8 |
| NVD Published | 2022-12-02 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-843 find similar ↗ |
| CISA KEV Added | 2022-12-05 |
| CISA KEV Deadline | 2022-12-26 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-12-02 | Google releases Chrome 108.0.5359.94/.95 patching CVE-2022-4262 as an actively exploited zero-day; CVE published to NVD same day |
| 2022-12-05 | CISA adds CVE-2022-4262 to the Known Exploited Vulnerabilities catalog |
| 2022-12-26 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update for Desktop — December 2, 2022 | Vendor Advisory |
| NVD — CVE-2022-4262 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |