A browser bug, sold as a weapon, pointed at journalists

Most of the bugs in this catalog are exploited for money or access at scale: ransomware, botnets, mass scanning. CVE-2022-2294 is a different kind of entry. It’s a heap buffer overflow in WebRTC, the open-source real-time-communications component built into Chrome and many other browsers, and it was used as a precision weapon. Avast’s Jan Vojtěšek discovered it being exploited by Candiru, an Israeli commercial-surveillance vendor, to plant its DevilsTongue spyware on the devices of journalists in Lebanon, Turkey, Yemen, and Palestine. A web bug, sold to governments, pointed at specific people.

What the bug is

CVE-2022-2294 is a heap-based buffer overflow (CWE-122) in WebRTC, allowing shellcode execution in the browser. Because WebRTC is a shared component, the flaw reached well beyond Chrome to other browsers that embed it. Google rated it high-severity and shipped an emergency fix in Chrome 103 (103.0.5060.71) in early July 2022, after Avast reported active exploitation on July 1. CISA added it to the Known Exploited Vulnerabilities catalog on August 25, 2022. Candiru had been exploiting it since around March 2022, delivering the payload through targeted attacks; victims were compromised by visiting attacker-controlled or compromised pages.

The mercenary-spyware threat model

This CVE is a window into a part of the threat landscape that doesn’t look like the rest of the catalog. Commercial surveillance vendors, Candiru, NSO Group, and others, develop or buy browser and mobile zero-days and sell them, packaged with spyware like DevilsTongue or Pegasus, to government clients. The targets aren’t random; they’re journalists, dissidents, activists, lawyers, and political figures. The economics are inverted from criminal exploitation: instead of hitting many victims cheaply, these operators spend large sums on zero-days to compromise a few high-value individuals quietly.

A few implications follow for how to think about browser bugs:

• Browser zero-days are increasingly mercenary-grade. A high-severity, in-the-wild browser bug with a named surveillance vendor behind it tells you the exploit is well-engineered and was expensive, which means it’s reliable and was used deliberately. The “is this really exploitable” question is already answered.
• Shared components multiply reach. WebRTC isn’t unique to Chrome. A bug in a widely-embedded library lands in many products at once, so “we don’t use Chrome” is not the safe conclusion it sounds like; check everything that bundles the component.
• The target population is specific, and at real risk. For most organizations, this CVE is a routine “patch your browsers” item. For organizations and individuals in the surveillance crosshairs, journalism, human rights, dissident communities, and the people who support them, it’s a genuine targeted-threat concern that warrants extra protection.

What to do

For the general case, the defense is the boring one that works:

• Keep browsers on automatic updates and current. Chrome and other major browsers auto-update fast, and this fix shipped within days of the report. The risk pocket, as with every browser bug, is managed environments that pin versions or gate browser updates behind change windows; for an actively-exploited browser zero-day, that delay is the exposure. Make sure your fleet actually takes browser updates promptly.
• Inventory what embeds the affected component. WebRTC and similar libraries live in many applications beyond the browser. Identify and update everything that bundles them.

For high-risk users and the organizations that protect them, do more:

• Enable the hardened browsing modes. Chrome’s enhanced protections and the platform “Lockdown Mode” equivalents on mobile meaningfully reduce the attack surface that these exploits target.
• Treat targeted-threat protection as a distinct program. Journalists, activists, executives, and dissidents face a different adversary than commodity malware, and standard endpoint defenses aren’t tuned for mercenary spyware. Threat modeling, device-update discipline, and engaging organizations that specialize in this protection are warranted.

The reframe is about reading exploitation context, not just severity. A browser heap overflow is a generic-sounding bug, but the “who’s using it and against whom” turns CVE-2022-2294 into something specific: a surveillance vendor’s tool for spying on journalists. For most readers, the action is the same as any browser bug, patch fast, which is exactly why fast browser auto-update is one of the highest-value security defaults there is. For the people these exploits are actually aimed at, it’s a reminder that the threat is real, well-funded, and personal. We flag the browser and shared-component zero-days the day they land, and note when the operator is a mercenary-spyware vendor, because that context changes who needs to worry and how much.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2022-2294 — 2022-07
• Google Project Zero: CVE-2022-2294 heap buffer overflow in WebRTC (root-cause analysis) — 2022
• BleepingComputer: Chrome zero-day used to infect journalists with Candiru spyware — 2022-07
• The Hacker News: Candiru spyware caught exploiting Google Chrome zero-day to target journalists — 2022-07