CVE-2022-1633 – 1641

Overview

External researchers recently discovered and disclosed to Google nine vulnerabilities in Google Chrome for Android. The vulnerabilities are defined in CVE-2022-1633 through CVE-2022-1641 and may enable exploitation via a malcrafted webpage. Successful exploitation may allow the attacker to compromise the user's data on a vulnerable device, and they exist across several components of Chrome.

• CVE-2022-1633: Use after free in Sharesheet.
• CVE-2022-1634: Use after free in Browser UI.
• CVE-2022-1635: Use after free in Permission Prompts.
• CVE-2022-1636: Use after free in Performance APIs.
• CVE-2022-1637: Inappropriate implementation in Web Contents.
• CVE-2022-1638: Heap buffer overflow in V8 Internationalization.
• CVE-2022-1639: Use after free in ANGLE.
• CVE-2022-1640: Use after free in Sharing.
• CVE-2022-1641: Use after free in Web UI Diagnostics.

‍

Lookout Analysis

The most likely way for an attacker to exploit this vulnerability would be to send a link leading to a malcrafted webpage to their target in hopes that the target still has a vulnerable version of Chrome on their device. A successful exploit may grant a threat actor access to Chrome's capabilities without needing to root the device. Mobile device management (MDM) tools will not detect a successful exploitation. In the event of a successful exploit, the actor could have access to any capability that the browser has.