Google released security updates on Monday to address a high-severity zero-day vulnerability in its Chrome web browser that it says is being exploited in the wild.
The gap, followed as CVE-2022-2294relates to a heap overflow error in WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native applications.
Heap buffer overruns, also known as heap overflows or heap breaks, occur when data is overwritten in the memory heap arearesulting in the execution of arbitrary code or a denial of service (DoS) condition.
“Heap-based overflows can be used to overwrite function pointers that may live in memory, pointing them to attacker code”, MITER Explain. “When the consequence is the execution of arbitrary code, it can often be used to subvert any other security service.”
Jan Vojtesek of the Avast Threat Intelligence team is credited with discovering and reporting the flaw on July 1, 2022. It should be noted that the bug also impacts the Android version of Chrome.
As is typically the case with zero-day exploitation, details pertaining to the flaw along with other campaign-related specifics have been withheld to prevent further abuse in the wild and until a significant number of users are updated with a patch.
CVE-2022-2294 also marks the resolution of the fourth zero-day vulnerability in Chrome since the start of the year –
Users are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply patches as they become available.