On July 4, 2022, Google released security updates to fix a zero-day vulnerability in its Chrome web browser. The company claimed that the vulnerability has already been used in the wild. The flaw, tracked as CVE-2022-2294, pertains to a heap overflow vulnerability in the WebRTC component, enabling real-time audio and video communication in browsers without needing to download or install plugins. When data is rewritten in the memory’s heap area, a heap buffer overflow can cause arbitrary code execution or a denial-of-service (DoS) condition. “Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. When the consequence is arbitrary code execution, this can often be used to subvert any other security service,” stated MITRE.
On July 1, 2022, Jan Vojtesek of the Avast Threat Intelligence team was credited with disclosing the vulnerability. It’s important to note that the flaw also affects Chrome on Android. To avoid further exploitation and until a significant number of users are updated with the fix, detailed information about the issue has been withheld, as is typically the case with zero-day exploitation. Additionally, CVE-2022-2294 represents the patching of Chrome’s fourth zero-day vulnerability since the beginning of the year. The following three zero-day vulnerabilities were discovered and fixed in 2022:
CVE-2022-1364 – 14th of April
CVE-2022-1096 – 25th of March
CVE-2022-0609 – 14th of February
Users are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to minimize potential risk. Also, users of Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are recommended to install updates as soon as they become available. The disclosure comes shortly after a Google Project Zero report revealing that a total of 18 security vulnerabilities have thus far been exploited as unpatched zero-days in the wild this year.