Security news that informs and inspires

Google Warns of Chrome Zero-Day Bug


Google has released new versions of its Chrome browser for Windows and Android in order to address a zero-day vulnerability. The vulnerability has been fixed in version 103.0.5060.114 for Windows and 103.0.5060.71 for Android.

The high-severity vulnerability (CVE-2022-2294) is a heap buffer overflow bug, which occurs when data is moved to a fixed-length memory buffer that is too small to hold the data. If exploited, this vulnerability can typically have a number of impacts, including denial-of-service attacks or, in some cases, arbitrary code execution.

“Google is aware that an exploit for CVE-2022-2294 exists in the wild,” according to Google’s Monday security advisory for Windows. “The Stable channel has been updated to 103.0.5060.114 for Windows, which will roll out over the coming days/weeks.”

The flaw exists in WebRTC, an open-source project that is supported by Chrome and enables test, voice and video communication capabilities for web browsers and mobile applications. The flaw was reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1.

Google on Monday also issued fixes for two other high-severity flaws, including a type confusion bug in V8 (CVE-2022-2295) and a use-after-free flaw in Chrome OS Shell (CVE-2022-2296). As is typical for Google Chrome updates, Google will hold off on publishing further information about the exploits or the vulnerabilities until a majority of users are updated with a fix.

The vulnerability is the fourth zero-day flaw that has been disclosed in Google Chrome so far this year, including one in February (CVE-2022-0609), March (CVE-2022-1096) and April (CVE-2022-1364).