While many expected — or at least hoped — that the 4th of July would be quiet on the cybersecurity front, Google on Monday announced the release of an emergency Chrome update that patches an actively exploited zero-day vulnerability.
The flaw, tracked as CVE-2022-2294, has been described as a heap buffer overflow in WebRTC. The security hole was reported to Google by a member of the Avast Threat Intelligence team on July 1.
The zero-day has been patched with the release of Chrome 103.0.5060.114 for Windows.
No information has been made available about the attacks exploiting CVE-2022-2294. SecurityWeek has reached out to Avast for more information and will update this article if the company can share any details.
This is the fourth actively exploited Chrome vulnerability that Google has patched this year. The company said recently that it has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, and many of them exist because previous flaws were not properly addressed.
In addition to CVE-2022-2294, the latest Chrome update patches two other high-severity issues: CVE-2022-2295, a type confusion in the V8 engine, and CVE-2022-2296, a use-after-free in the Chrome OS Shell component.
Related: Chrome 102 Update Patches High-Severity Vulnerabilities
Related: Google Issues Emergency Fix for Chrome Zero-Day
Related: Emergency Firefox Update Patches Two Actively Exploited Zero-Day Vulnerabilities