Google released security upgrades on Monday to fix a high-severity zero-day bug in its Chrome web browser that the company said is already being used in the wild.
The issue, designated CVE-2022-2294, pertains to a heap overflow vulnerability in the WebRTC component, which enables real-time audio and video communication in browsers without the need to download or install plugins.
To reduce potential dangers, users are advised to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android. As soon as the solutions become available, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are encouraged to install them.
When data is rewritten in the memory’s heap region, a heap buffer overflow, also known as a heap overrun or heap smashing, results. This may cause arbitrary code execution or a denial-of-service (DoS) problem.
The attacker’s code may be pointed to via function pointers that are overwritten using heap-based overflows, according to MITRE. “This may often be used to undermine any other security service when the result is arbitrary code execution.”
Jan Vojtesek from the Avast Threat Intelligence team is credited with finding and reporting the bug on July 1, 2022. It’s important to note that the flaw also affects Chrome on Android.
To avoid future exploitation in the wild and until a significant portion of users are updated with a remedy, information about the issue as well as other aspects relevant to the campaign have been kept, as is often the case with zero-day exploitation.