HighCISA KEVExploited in the wildPublic exploit

Use-after-free RCE in Google Chrome Animation

IdentifiersCVE-2022-0609CWE-416· Use After Free

CVE-2022-0609 is a use-after-free vulnerability in the Animation component of Google Chrome prior to version 98.0.4758.102. The flaw can be triggered by a remote attacker via a crafted HTML page, leading to heap corruption in the browser process. Public reporting describes it as a remote code execution vulnerability that was exploited in the wild in early 2022, including by North Korean state-backed operators. The affected condition is a memory-lifetime error in Chrome's Animation handling that permits access to freed memory during web content processing.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause heap corruption and potentially achieve arbitrary code execution in the context of the targeted Chrome browser or embedded Chromium-based application. Because exploitation is delivered through malicious web content, it can be used for drive-by compromise or spearphishing-linked browser exploitation. The content indicates active in-the-wild exploitation against media, high-tech, financial, cryptocurrency, and fintech targets.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, reduce exposure to untrusted web content, enforce URL allowlisting where feasible, restrict or disable unnecessary browsing features in embedded Chromium contexts, and run browsers/applications with least privilege and sandboxing enabled. Additional temporary risk reduction includes limiting access to attacker-controlled or compromised websites and tightening controls around links delivered through spearphishing.

Remediation

Patch, then assume compromise.

Upgrade Google Chrome to version 98.0.4758.102 or later. For embedded Chromium distributions specifically mentioned in the content, upgrade affected CefSharp NuGet packages to 98.1.210 or later. Apply vendor security updates across all Chromium-based deployments and verify that downstream packaged applications have incorporated the fixed Chromium build.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CefsharpCefsharp.Common.Netcoreapplication

CefsharpCefsharp.Winforms.Netcoreapplication

CefsharpCommonapplication

CefsharpCommon.Netcoreapplication

CefsharpOffscreenapplication

CefsharpOffscreen.Netcoreapplication

CefsharpWinformsapplication

CefsharpWinforms.Netcoreapplication

CefsharpWpfapplication

CefsharpWpf.Hwndhostapplication

CefsharpWpf.Netcoreapplication

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

sekoia blogNews

Dec 16, 2022

The DPRK delicate sound of cyber - Sekoia.io Blog

A 0-day remote code execution vulnerability in the Google Chrome web browser used by Lazarus to target cryptocurrency and fintech entities.

google tag blogNews

Mar 24, 2022

Countering threats from North Korea

A remote code execution vulnerability in Google Chrome that was exploited by North Korean government-backed attacker groups in targeted campaigns.

mitre attackNews

Jan 25, 2026

Exploitation for Client Execution, Technique T1203 - Enterprise | MITRE ATT&CK®

A Google Chrome vulnerability leveraged for code execution as part of a drive-by compromise in the 3CX supply-chain attack context.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-0609

NVD

nvd.nist.gov/vuln/detail/CVE-2022-0609

MITRE CWE · CWE-416

Use After Free

Vendor Advisory

chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html

Vendor Advisory

crbug.com/1296150

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0609