Microsoft shared details of a critical ChromeOS vulnerability tracked as CVE-2022-2587 (CVSS score of 9.8). The flaw is an out-of-bounds write issue in OS Audio Server that could be exploited to trigger a DDoS condition or, under specific circumstances, to achieve remote code execution.
Microsoft reported the issue to Google in April 2022 as a part of the Chromium bug tracking system.
Google addressed the vulnerability in June, an attacker can trigger the flaw using malformed metadata associated with the songs.
Microsoft discovered a function in the server that did not check a user-supplied ‘identity’ argument, leading to a heap-based buffer overflow.
The OS Audio Server contains a method that extracts the ‘identity’ from metadata representing a song’s title. An attacker can trigger the flaw by modifying the audio metadata either from the browser or via Bluetooth when a new song is being played.
