Tracked as CVE-2022-2587 (CVSS score of 9.8) and described as an out-of-bounds write, the vulnerability was addressed with the release of a patch in June.

The issue was identified in the CRAS (ChromiumOS Audio Server) component, and could be triggered using malformed metadata associated with songs.

CRAS resides between the operating system and ALSA (Advanced Linux Sound Architecture) to route audio to newly attached peripherals that support audio.

Microsoft’s security researchers discovered that the server contained a function that did not check a user-supplied ‘identity’ argument, thus leading to a heap-based buffer overflow – a type of bug often exploited to achieve remote code execution.