CVE-2023-7024
Published: 21 December 2023
Summary
CVE-2023-7024 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Debian Debian Linux. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 13.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A heap buffer overflow vulnerability, tracked as CWE-787, affects the WebRTC component in Google Chrome versions prior to 120.0.6099.129. The flaw permits heap corruption when a victim visits a crafted HTML page, carrying a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and no required privileges.
A remote attacker can trigger the issue by serving malicious WebRTC content that the browser processes, achieving potential full compromise of the renderer process with impacts to confidentiality, integrity, and availability. User interaction is required in the form of visiting the attacker-controlled page.
Chrome stable channel updates and downstream advisories from Fedora and Gentoo direct users to upgrade immediately to version 120.0.6099.129 or later; the referenced Chromium bug report and release notes confirm the fix was shipped in the December 2023 stable update.
The EPSS score rose sharply from a low baseline to a peak of 0.4807 on 2024-12-27 before receding to the current 0.0307, indicating that exploitation interest emerged well after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59215
Vulnerability details
Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 02 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that eliminates the heap buffer overflow in WebRTC.
Enforces memory-protection mechanisms that block out-of-bounds writes on the heap before they corrupt memory.
Allows disabling or restricting the WebRTC component so the vulnerable code path cannot be reached by crafted HTML.