Cyber Resilience

CVE-2022-2294

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 28 July 2022

Published
28 July 2022
Modified
24 October 2025
KEV Added
25 August 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0111 78.5th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2294 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Mac Os X. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 21.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2022-2294 is a heap buffer overflow vulnerability in the WebRTC component of Google Chrome versions prior to 103.0.5060.114. The flaw, tracked under CWE-787, stems from improper bounds checking that can lead to heap corruption when processing certain inputs.

A remote attacker can exploit the issue by convincing a user to visit a crafted HTML page, achieving arbitrary code execution or other impacts consistent with the CVSS 8.8 rating that reflects network attack vector, low complexity, and no required privileges.

Chrome stable channel updates released on 28 July 2022 address the vulnerability by advancing the browser to version 103.0.5060.114 or later; downstream distributions such as Fedora also issued corresponding package updates to incorporate the fix.

The associated EPSS score rose from a low baseline after disclosure to a peak of 0.1589 on 2024-12-17 before receding to the current value of 0.0150, indicating that exploitation interest materialized well after the original publication.

EU & UK References

Vulnerability details

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
25 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 103.0.5060.114
fedoraproject
extra packages for enterprise linux
8.0
fedoraproject
fedora
35, 36
webkitgtk
webkitgtk
≤ 2.36.5
wpewebkit
wpe webkit
≤ 2.36.5
apple
ipados
≤ 15.6
apple
iphone os
≤ 15.6
apple
mac os x
10.15.7 · ≤ 10.15.7
apple
macos
≤ 11.6.8 · 12.0 — 12.5
apple
tvos
≤ 15.6
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the heap buffer overflow in WebRTC.

prevent

Enforces memory-protection mechanisms that can block or contain the heap corruption exploited by the crafted HTML page.

SC-18 Mobile Code partial match
prevent

Allows definition of usage restrictions and controls on mobile code (WebRTC/JavaScript) that can reduce exposure to the remote exploit vector.

References