CVE-2022-2294
Published: 28 July 2022
Summary
CVE-2022-2294 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Mac Os X. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 21.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
CVE-2022-2294 is a heap buffer overflow vulnerability in the WebRTC component of Google Chrome versions prior to 103.0.5060.114. The flaw, tracked under CWE-787, stems from improper bounds checking that can lead to heap corruption when processing certain inputs.
A remote attacker can exploit the issue by convincing a user to visit a crafted HTML page, achieving arbitrary code execution or other impacts consistent with the CVSS 8.8 rating that reflects network attack vector, low complexity, and no required privileges.
Chrome stable channel updates released on 28 July 2022 address the vulnerability by advancing the browser to version 103.0.5060.114 or later; downstream distributions such as Fedora also issued corresponding package updates to incorporate the fix.
The associated EPSS score rose from a low baseline after disclosure to a peak of 0.1589 on 2024-12-17 before receding to the current value of 0.0150, indicating that exploitation interest materialized well after the original publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34567
Vulnerability details
Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 25 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that eliminates the heap buffer overflow in WebRTC.
Enforces memory-protection mechanisms that can block or contain the heap corruption exploited by the crafted HTML page.
Allows definition of usage restrictions and controls on mobile code (WebRTC/JavaScript) that can reduce exposure to the remote exploit vector.