Google actively patches exploited vulnerability in Chrome’s WebRTC component

Google has fixed a vulnerability in Chrome that was being actively exploited. The zeroday was in the WebRTC component. It was a heap-based buffer overflow discovered a few days ago.

The vulnerability is registered as CVE-2022-2294. Details about the bug have not yet been announced. google writes in a short blog post that the bug was discovered on July 1 by security company Avast. It would be a heap-based buffer overflow in the WebRTC component that is rated ‘High’. Heap-based buffer overflow allows for different types of attacking actions, from crashing programs to executing code. What exactly was done with this bug is unknown. According to Google, the zeroday was actively abused, but details are also lacking.

The bug has been fixed in Chrome 103.0.5060.114 for Windows and Chrome 103.0.5060.71 for Android. Two other vulnerabilities are also fixed in that version. Those are CVE-2022-2295 and CVE-2022-2296. The first is a type confusion in Chrome’s V8 engine, the second is a use-after-free vulnerability in Chrome OS shell.