⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-09-15.

CVE-2022-2294

CWE-787Out-of-bounds WriteCWE-122Heap-based Buffer Overflow14 documents12 sources
Severity
8.8HIGH
EPSS
1.2%
top 21.38%
CISA KEV
KEVRansomware
Added 2022-08-25
Due 2022-09-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
11
Google ChromeApple IpadosApple Iphone OS+8 more
Timeline
PublishedJul 28
KEV addedAug 25
KEV dueSep 15
CISA Required Action: Apply updates per vendor instructions.

Description

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages14 packages

CVEListV5google/chromeunspecified103.0.5060.114
NVDgoogle/chrome< 103.0.5060.114
NVDapple/tvos< 15.6
NVDapple/macos12.012.5+1
NVDapple/ipados< 15.6

Also affects: Fedora 35, 36

🔴Vulnerability Details

5
GHSA
GHSA-9q96-cwq7-cr4m: Heap buffer overflow in WebRTC in Google Chrome prior to 1032022-07-29
OSV
CVE-2022-2294: Heap buffer overflow in WebRTC in Google Chrome prior to 1032022-07-28
CVEList
CVE-2022-2294: Heap buffer overflow in WebRTC in Google Chrome prior to 1032022-07-28
VulnCheck
WebRTC Heap Buffer Overflow Vulnerability2022
Project0
Project Zero RCA: CVE-2022-2294: Heap buffer overflow in WebRTC

📋Vendor Advisories

8
CISA
WebRTC Heap Buffer Overflow Vulnerability2022-08-25
Ubuntu
WebKitGTK vulnerabilities2022-08-15
Apple
CVE-2022-2294: Safari 15.62022-07-20
Apple
CVE-2022-2294: macOS Monterey 12.52022-07-20
Apple
CVE-2022-2294: iOS 15.6 and iPadOS 15.62022-07-20