CVE-2022-2294

HIGH KEV RANSOMWARE

Google Chrome < 103.0.5060.114 - Heap Buffer Overflow in WebRTC

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-2294 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 25, 2022, with confirmed use in ransomware campaigns.

Description

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

References (9)

Core 9
Core References
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/07/28/2
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202208-35
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202208-39
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202311-11
Permissions Required
https://crbug.com/1341043

Scores

CVSS v3 8.8
EPSS 0.0108
EPSS Percentile 78.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-08-25
VulnCheck KEV 2022-07-01
InTheWild.io 2022-07-01
ENISA EUVD EUVD-2022-34567
Ransomware Use Confirmed
CWE
CWE-787
Status published
Products (14)
apple/ipados < 15.6
apple/iphone_os < 15.6
apple/mac_os_x 10.15.7 (17 CPE variants)
apple/mac_os_x < 10.15.7
apple/macos < 11.6.8
apple/tvos < 15.6
apple/watchos < 8.7
fedoraproject/extra_packages_for_enterprise_linux 8.0
fedoraproject/fedora 35
fedoraproject/fedora 36
... and 4 more
Published Jul 28, 2022
KEV Added Aug 25, 2022
Tracked Since Feb 18, 2026