Cyber Resilience

CVE-2023-7024

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 December 2023

Published
21 December 2023
Modified
24 October 2025
KEV Added
02 January 2024
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0307 87.0th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-7024 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Debian Debian Linux. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 13.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A heap buffer overflow vulnerability, tracked as CWE-787, affects the WebRTC component in Google Chrome versions prior to 120.0.6099.129. The flaw permits heap corruption when a victim visits a crafted HTML page, carrying a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and no required privileges.

A remote attacker can trigger the issue by serving malicious WebRTC content that the browser processes, achieving potential full compromise of the renderer process with impacts to confidentiality, integrity, and availability. User interaction is required in the form of visiting the attacker-controlled page.

Chrome stable channel updates and downstream advisories from Fedora and Gentoo direct users to upgrade immediately to version 120.0.6099.129 or later; the referenced Chromium bug report and release notes confirm the fix was shipped in the December 2023 stable update.

The EPSS score rose sharply from a low baseline to a peak of 0.4807 on 2024-12-27 before receding to the current 0.0307, indicating that exploitation interest emerged well after public disclosure.

EU & UK References

Vulnerability details

Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
02 January 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 120.0.6099.129
debian
debian linux
11.0, 12.0
fedoraproject
fedora
38, 39

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that eliminates the heap buffer overflow in WebRTC.

prevent

Enforces memory-protection mechanisms that block out-of-bounds writes on the heap before they corrupt memory.

prevent

Allows disabling or restricting the WebRTC component so the vulnerable code path cannot be reached by crafted HTML.

References