Chrome releases security update to fix 0-day CVE-2022-2294 flaw

Google released a security bulletin to reveal the CVE-2022-2294 vulnerability, which is a major security threat to heap buffer overflow in WebRTC. To ensure security, Google has released an emergency security update to fix this vulnerability, the corresponding version number is Google Chrome 103.0.5060.114.

Also fixed this time are CVE-2022-2295: Type Confusion in V8, CVE-2022-2296: Use after free in Chrome OS Shell vulnerabilities, all of which are high-risk vulnerabilities.

The security vulnerability, numbered CVE-2022-2294, was submitted by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01.

According to Google, “Google is aware that an exploit for CVE-2022-2294 exists in the wild. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” At present, it is only known that this vulnerability is high severity heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component. Based on security considerations, Google will only disclose the full details of the vulnerability after most users update. Often such vulnerabilities can be used to execute arbitrary code or escape the browser’s security sandbox, and interested researchers can wait for subsequent Google disclosures.

Users of Google Chrome can go to the About page of the settings, where they can see the current version number and can automatically check the latest version. If the user deploys the online installation package, it can be updated automatically. If the user deploys the offline installation package, the user needs to manually download the new version to upgrade.

Tags: CVE-2022-2294