In order to fix a zero-day vulnerability, Google has published updated versions of its Chrome browser for Windows and Android. Versions 103.0.5060.114 for Windows and 103.0.5060.71 for Android both have fixes for the vulnerability.
The bug concerns the open web standard for creating speech and video apps for real-time communications which is called WebRTC (RTC). All of the main browser vendors support the standard, and JavaScript in the browser makes it possible.
This vulnerability followed another bug disclosed from Chromium back in January 2022, that is also concerning the same third party library WebRTC.
Google Chrome WebRTC RTPSenderVideoFrameTransformerDelegate memory corruption vulnerability (TALOS-2021-1372) (reward: $7500) https://t.co/phdCZxZeVx
— Chromium Disclosed Security Bugs (@BugsChromium) January 10, 2022
Google withholds all information about the issue until the majority of users have received an update with the fix. If the restriction is in a third-party library that is also used by other projects but doesn’t yet have the defect rectified, it can still be present.
Two further serious issues are also fixed by the update. CVE-2022-2296 is a “use after free” memory bug in Chrome OS Shell, whereas CVE-2022-2295 is a type confusion in Chrome’s V8 JavaScrip engine.