CVE-2022-2294

CVE-2022-2294 is a high-severity vulnerability in Google Chrome with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-25). The underlying weakness is classified as CWE-787.

Key facts

Description

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-2294: WebRTC Heap Buffer Overflow in Google Chrome

AI-generated analysis based on the vulnerability data on this page.

Summary

A heap buffer overflow vulnerability in the WebRTC implementation of Google Chrome enables remote attackers to potentially achieve heap corruption and code execution by enticing a user to visit a crafted HTML page. The flaw was patched in July 2022 but remains relevant for unpatched installations and derived codebases.

Background

WebRTC (Web Real-Time Communication) is an open-source project that provides browsers and mobile applications with real-time communication capabilities via simple APIs. It is integrated into Google Chrome and used by numerous other browsers and applications, including those built on WebKitGTK and WPE WebKit. Because WebRTC handles media streams and peer connections directly in the browser engine, memory-safety bugs in its implementation can expose a broad attack surface to untrusted web content.

Root Cause

The vulnerability is classified as CWE-787: Out-of-bounds Write, specifically manifesting as a heap buffer overflow within WebRTC. The flaw occurs when processing malformed input during a real-time communication session, causing data to be written beyond the bounds of an allocated heap buffer. This type of memory corruption typically stems from insufficient bounds checking when handling variable-length data structures, such as media frames or signalling messages, passed through the WebRTC stack.

Impact

The National Vulnerability Database assigns this issue a CVSS v3.1 score of 8.8 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The metrics indicate:

  • Attack Vector (AV): Network — the vulnerability can be exploited remotely.
  • Attack Complexity (AC): Low — no special conditions or significant planning are required.
  • Privileges Required (PR): None — the attacker needs no prior privileges.
  • User Interaction (UI): Required — the victim must perform an action, such as visiting a malicious page.
  • Scope (S): Unchanged — the vulnerable component and impacted component are the same.
  • Confidentiality, Integrity, Availability (C/I/A): High — successful exploitation can lead to complete compromise of the target system.

The impact score is 5.9 and the exploitability score is 2.8.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive and educational purposes only. No weaponised exploit code is included.

An attacker can host a malicious HTML page containing a crafted WebRTC session description or media stream. When a vulnerable browser navigates to the page, the WebRTC component processes the malformed data. Due to the missing bounds check, the processing routine writes attacker-controlled data past the end of a heap allocation. On modern systems with heap mitigations, reliable code execution typically requires additional heap grooming or spraying techniques; however, the fundamental primitive is a powerful out-of-bounds write that can corrupt adjacent objects, vtables, or metadata. Defenders should assume that a motivated threat actor can convert this primitive into arbitrary code execution, especially given the public nature of the bug and the availability of patched source code for differential analysis.

Affected and Patched Versions

Google addressed this flaw in Chrome 103.0.5060.114 for desktop platforms, released in July 2022. CPE data indicates that the vulnerability also affects:

  • WebKitGTK
  • WPE WebKit
  • Apple iOS, iPadOS, macOS, tvOS, and watchOS
  • The WebRTC project itself

Specific package advisories from openSUSE and SUSE reference Chromium versions prior to 103.0.5060.114-bp154.2.14.1 and Opera versions prior to 88.0.4412.74-lp154.2.11.1 as affected. Users of derived browsers, embedded WebRTC engines, or downstream distributions should verify their patch level against the upstream Chrome release.

Remediation

  1. Upgrade immediately. Install Google Chrome 103.0.5060.114 or later. Users of Chromium-based browsers, WebKitGTK, and WPE WebKit should apply the corresponding security updates from their vendor.
  2. Compensating controls. If patching is not immediately possible:
    • Disable WebRTC in browser settings or via enterprise policy where business needs allow.
    • Restrict browser execution to trusted sites using application control or URL filtering.
    • Ensure operating-system-level exploit mitigations (ASLR, DEP/NX, Control Flow Guard) are enabled.

Detection

Network and endpoint defenders can look for:

  • Exploitation artefacts: Unexpected crashes in the browser renderer or WebRTC process (e.g., chrome.exe, Chromium Helper) accompanied by heap-corruption exception codes.
  • Threat-intelligence indicators: Historical exploitation has been confirmed by CISA and EU authorities. Hunt for known exploit-kit landing pages or malicious HTML attachments that initiate RTCPeerConnection objects with unusually large or malformed SDP payloads.
  • Telemetry rules: Monitor for browsers generating WebRTC traffic immediately after visiting newly registered or low-reputation domains, which may indicate drive-by exploitation attempts.

Assessment

With an EPSS score of 0.70461 (approximately 70.5 % probability of exploitation in the wild) and a percentile of 0.99309, this vulnerability sits in the top tier of actively exploited flaws. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 25 August 2022, and the EU vulnerability database also flags it as actively exploited from the same date. The gap between public disclosure (28 July 2022) and confirmed in-the-wild exploitation was roughly four weeks, underscoring how quickly threat actors operationalise browser memory-corruption bugs.

Key lessons:

  1. Patch velocity matters. A four-week window from patch to confirmed exploitation means that even organisations with monthly patching cycles may have been exposed.
  2. Shared libraries multiply risk. Because WebRTC is a shared component across Chrome, Safari (via WebKit), and numerous embedded browsers, a single upstream bug can cascade across multiple product lines. Inventory and patch management must cover all derived applications, not just the primary browser.

References

Frequently asked questions

What is CVE-2022-2294?
Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
How severe is CVE-2022-2294?
CVE-2022-2294 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-2294 being actively exploited?
Yes. CVE-2022-2294 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-2294?
CVE-2022-2294 primarily affects Google Chrome. In total, 30 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-2294?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-2294 have an EU (EUVD) identifier?
Yes. CVE-2022-2294 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-34567. It is also flagged as exploited in the EUVD (since 2022-08-25).
When was CVE-2022-2294 published?
CVE-2022-2294 was published on 2022-07-28 and last updated on 2026-06-17.

References

Affected products (30)

More vulnerabilities in Google Chrome

All CVEs affecting Google Chrome →

Other CWE-787 (Out-of-bounds Write) vulnerabilities

Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →