Google Chrome’s WebRTC vulnerability

The CVE-2023-7024 vulnerability affects Google Chrome versions before 120.0.6099.129. It’s a serious security issue known as a heap buffer overflow. This problem could let attackers corrupt memory and execute malicious code through a specially crafted HTML page. The vulnerability’s severity is high, with a CVSS score of 8.8, indicating a significant risk. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) breaks down the risk factors, including how it’s accessed, its complexity, and the potential impact on confidentiality, integrity, and availability.

This vulnerability is recognized in the CISA’s Known Exploited Vulnerabilities Catalog, suggesting it’s being actively exploited and poses a real-world threat. Users are urged to apply the provided updates or stop using vulnerable versions of the software. It affects certain versions of Google Chrome, Debian Linux, and Fedora.

In response to the active exploitation, which could lead to severe outcomes like crashes or ransomware, Google has released an update to mitigate the issue. Users should update their Google Chrome to the latest version as of December 20, 2023, to protect against this vulnerability. For further protection and information, users are encouraged to refer to the provided advisories and updates from Google and other third-party sources.

Updates for Chrome as of Dec. 20, 2023: Chrome Releases: Stable Channel Update for Desktop (googleblog.com)

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity  here and executive management on https://paulbergman.org for both corporate and nonprofit boards.