Google released security upgrades on Monday to fix a high-severity zero-day bug in its Chrome web browser that the company claimed is already being used in the wild.
The issue, designated CVE-2022-2294, pertains to a heap overflow vulnerability in the WebRTC component, which enables real-time audio and video communication in browsers without the need to download or install plugins.
When data is rewritten in the memory’s heap area, a heap buffer overflow, also known as a heap overrun or heap smashing, results. This can cause arbitrary code execution or a denial-of-service (DoS) problem.
The attacker’s code may be pointed at by function pointers that are overwritten using heap-based overflows, according to MITRE. “This can frequently be used to undermine any other security service when the result is arbitrary code execution.”
Jan Vojtesek from the Avast Threat Intelligence team is credited with finding and reporting the bug on July 1, 2022. It’s important to note that the flaw also affects Chrome on Android.
To avoid future exploitation in the wild and until a sizable portion of users are updated with a fix, information about the issue as well as other aspects relevant to the campaign have been kept, as is typically the case with zero-day exploitation.
Additionally, CVE-2022-2294 represents the patching of Chrome’s fourth zero-day vulnerability since the year’s beginning.
CVE-2022-0609 – Use-after-free in Animation
CVE-2022-1096 – Type confusion in V8
CVE-2022-1364 – Type confusion in V8
To reduce potential dangers, users are advised to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android. As soon as the solutions become available, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are encouraged to install them.