CVE

CVE-2022-2294

2field notes · 0digests

Field notes

Analysis · May 20, 2026 · operations-desk
Apple, Chrome, Android: the zero-day stream that mostly isn't aimed at you
The catalog's Apple, Google/Chrome, Android, Samsung, and Qualcomm entries are overwhelmingly browser and mobile zero-days, many used by mercenary spyware against specific people. For most organizations the defense is one boring control: fast auto-update.
Analysis · May 20, 2026 · The Commentary Desk
A browser bug, sold as a weapon, pointed at journalists
CVE-2022-2294 was a heap overflow in WebRTC, the real-time-comms code inside Chrome and other browsers. It wasn't used for mass crime. A surveillance vendor, Candiru, used it to plant DevilsTongue spyware on journalists in the Middle East. Different threat model, same patch.