Google Chrome has released a new patch to address the threat of CVE-2022-2294.
Google was quick to detect the high-severity zero-day vulnerability inside of Chrome’s system.
This Google vulnerability has unfortunately been exploited by malicious actors. The newly released patch will be the fourth Chrome zero-day patch released by Google this year.
Google released the 103.0.5060.114 version, which is now available in the Stable Desktop channel worldwide.
The company states that it estimated that it would take days or weeks to reach the whole user base.
Google Chrome Vulnerability
Google has released security fixes to address a high-severity zero-day vulnerability in its Chrome web browser.
Google stated that the current vulnerability in the wild was being exploited by malicious actors.
CVE-2022-2294 is a high-severity heap-based buffer overflow vulnerability in the WebRTC (Web Real-Time Communications) component.
The consequences of successful heap overflow exploitation can range from program crashes to unfettered code execution, as well as bypassing security solutions if code execution is gained during the attack.
When the overflow happens, this has the ability to breach a user’s privacy since it allows real-time video and audio communication from the browser without the need to install plugins or download native apps.
According to The Hacker News, Heap buffer overflow happens when data is overwritten in the memory’s heap area, leading to a denial-of-service (DoS) condition.
This is also commonly called “heap smashing” or “heap overruns.” Even though people have the perception that it will only affect PCs, it is worth noting that this bug also affects Google Chrome on Android devices.
Google stated that the CVE-2022-2294 vulnerability was reported to them by a researcher from the Avast Threat Intelligence team, Jan Vojtesek.
Vojtesek is credited for reporting and discovering the vulnerability on July 1, 2022.
The customary practice when detecting a bug in the wild is to keep the information, details, and links regarding the vulnerability restricted for the meantime.
Google is following exactly the same protocol, waiting and giving the majority of users ample time to deploy the update on their devices. This is also to minimize and avoid further abuse in the wild.
Google Chrome Zero-Day Vulnerability
CVE-2022-2294 is Google’s fourth zero-day vulnerability since the year started. According to BleepingComputer, there were three other vulnerabilities detected in Chrome before this update.
The first vulnerability was CVE-2022-0609, which was detected on February 14. The vulnerability, CVE-2022-0609, was exploited by North Korean-backed state hackers weeks before the February patch.
The second vulnerability in Google Chrome was detected on March 25, CVE-2022-1096. This vulnerability in the Chrome V8 JavaScript engine has a high severity level and affects type misunderstanding.
The third one was CVE-2022-1364, which was detected on April 14. This vulnerability is a type confusion weakness in Chrome V8 JavaScript engine which was also a high severity bug.
To prevent exploitation, users are advised to install today’s current Google Chrome update since this zero-day vulnerability is of high severity.
To protect themselves from any potential danger, users are strongly encouraged to update to version 103.0.5060.114 for Windows, macOS, and Linux, and to version 103.0.5060.71 for Android.
In addition, Opera, Brave, Vivaldi, and Microsoft Edge users are also encouraged to apply the changes as soon as they are made available to them.