Google released a new version of Chrome 103 on Monday fixing four security issues in Chrome including one critical zero-day vulnerability CVE-2022-2294. Google notes that it "is aware that an exploit for CVE-2022-2294 exists in the wild."
CVE-2022-2294 is a heap buffer overflow vulnerability in Chrome's WebRTC component, the WebRTC component enables real-time audio and video communication in browsers without the need to download or install plugins.
When data is overwritten in the memory's heap area, a heap buffer overflow, also known as a heap overrun or heap smashing can occur. This can have multiple effects ranging from arbitrary code execution to a denial-of-service (DoS).
The vulnerability was discovered by Jan Vojtesek from the Avast Threat Intelligence team, and also impacts the Android version of google chrome, something you can also get an overview of if you're managing your company's mobile devices using Intune or Airwatch.
Google released version 103.0.5060.114 containing a fix for CVE-2022-2294 and three other vulnerabilities including:
- CVE-2022-2295: Type Confusion in V8.
- CVE-2022-2296: Use after free in Chrome OS Shell.
Since both Brave and Microsoft Edge are chromium-based, they will receive updates as well in the coming days, so keep an eye out for those too.
To aid in finding exactly which devices are not updated yet, the report below provides an overview of all Chrome installations and their version. It is color-coded to indicate which devices are safe and which devices still need to be updated.