CVE-2023-7024
published 2023-12-21CVE-2023-7024: Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…
PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-23
Exploited in the wild
EPSS
7.36%
93.6th percentile
Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 120.0.6099.129-1~deb11u1 | 120.0.6099.129-1~deb11u1 |
| chromium | chromium | >= 0 < 120.0.6099.129-1~deb12u1 | 120.0.6099.129-1~deb12u1 |
| chromium | chromium | >= 0 < 120.0.6099.129-1 | 120.0.6099.129-1 |
| chromium | chromium | >= 0 < 120.0.6099.129-1 | 120.0.6099.129-1 |
| debian | chromium | < chromium 120.0.6099.129-1~deb12u1 (bookworm) | chromium 120.0.6099.129-1~deb12u1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 120.0.6099.129 | 120.0.6099.129 | |
| chrome | >= 120.0.6099.129 < 120.0.6099.129 | 120.0.6099.129 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-7024 is a heap buffer overflow in WebRTC (real-time communication component) in Google Chrome; exploit exists in the wild per Google TAG — monitor for exploitation of WebRTC heap corruption via crafted HTML pages ↗
- →Any browser using WebRTC (not just Chrome) may be impacted — broaden detection scope beyond Chrome to other Chromium-based browsers ↗
- ·CISA KEV remediation deadline was 2024-01-23 for federal agencies; any unpatched Chrome/Chromium-based browser prior to 120.0.6099.129 remains vulnerable ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2023-7024
vendor_chrome·2024-01-10·CVSS 8.8
CVE-2023-7024 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2023-7024
Long Term Support Channel Update for ChromeOS
CVE-2023-7024
CISA
Google Chromium WebRTC Heap Buffer Overflow Vulnerability
cisa·2024-01-02·CVSS 8.8
CVE-2023-7024 [HIGH] CWE-787 Google Chromium WebRTC Heap Buffer Overflow Vulnerability
Vulnerability: Google Chromium WebRTC Heap Buffer Overflow Vulnerability
Affected: Google Chromium WebRTC
Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, p
Microsoft
Chromium: CVE-2023-7024 Heap buffer overflow in WebRTC
vendor_msrc·2023-12-12·CVSS 8.8
CVE-2023-7024 [HIGH] Chromium: CVE-2023-7024 Heap buffer overflow in WebRTC
Chromium: CVE-2023-7024 Heap buffer overflow in WebRTC
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware that an exploit for CVE-2023-7024 exists in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
120.0.2210.91
12/21/2023
120.0.6099.130
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-bas
Debian
CVE-2023-7024: chromium - Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed ...
vendor_debian·2023·CVSS 8.8
CVE-2023-7024 [HIGH] CVE-2023-7024: chromium - Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed ...
Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 120.0.6099.129-1~deb12u1)
bullseye: resolved (fixed in 120.0.6099.129-1~deb11u1)
forky: resolved (fixed in 120.0.6099.129-1)
sid: resolved (fixed in 120.0.6099.129-1)
trixie: resolved (fixed in 120.0.6099.129-1)
GHSA
GHSA-7c6v-f3h8-2x89: Heap buffer overflow in WebRTC in Google Chrome prior to 120
ghsa_unreviewed·2023-12-22
CVE-2023-7024 [HIGH] CWE-787 GHSA-7c6v-f3h8-2x89: Heap buffer overflow in WebRTC in Google Chrome prior to 120
Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2023-7024: Heap buffer overflow in WebRTC in Google Chrome prior to 120
osv·2023-12-21·CVSS 8.8
CVE-2023-7024 [HIGH] CVE-2023-7024: Heap buffer overflow in WebRTC in Google Chrome prior to 120
Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium WebRTC Heap Buffer Overflow Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-7024 [HIGH] CWE-787 Google Chromium WebRTC Heap Buffer Overflow Vulnerability
Google Chromium WebRTC Heap Buffer Overflow Vulnerability
Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome.
Affected: Google Chromium WebRTC
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://storage.googleapis.com/gweb-u
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Google fixes first actively exploited Chrome zero-day of 2024
blogs_bleepingcomputer·2024-01-16·CVSS 8.8
CVE-2024-0519 [HIGH] Google fixes first actively exploited Chrome zero-day of 2024
## Google fixes first actively exploited Chrome zero-day of 2024
## Sergiu Gatlan
Although Google says the security update could take days or weeks to reach all impacted users, it was available immediately when BleepingComputer checked for updates today.
Those who prefer not to update their web browser manually can rely on Chrome to automatically check for new updates and install them after the next launch.
The high-severity zero-day vulnerability ( CVE-2024-0519 ) is due to a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via a crafted HTML page to gain access to data beyond the memory buffer through heap corruption, providing them access to sensitive information or triggering a crash.
"The expected sentinel
Bleepingcomputer
CISA warns of actively exploited bugs in Chrome and Excel parsing library
blogs_bleepingcomputer·2024-01-03·CVSS 8.8
[HIGH] CISA warns of actively exploited bugs in Chrome and Excel parsing library
## CISA warns of actively exploited bugs in Chrome and Excel parsing library
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities to the Known Exploited Vulnerabilities catalog, a recently patched flaw in Google Chrome and a bug affecting an open-source Perl library for reading information in an Excel file called Spreadsheet::ParseExcel.
America's cyber defense agency has given federal agencies until January 23 to mitigate the two security issues tracked as CVE-2023-7024 and CVE-2023-7101 according to vendor instructions or to stop using the vulnerable products.
## Spreadsheet::ParseExcel RCE
The first issue that CISA added to its Known Exploited Vulnerabilities (KEV) is CVE-2023-7101 , a remote code execution vulnerability that affect
Wiz
Crying Out Cloud - January Newsletter | Wiz
blogs_wiz·2024-01-01·CVSS 8.8
CVE-2023-26360 [HIGH] Crying Out Cloud - January Newsletter | Wiz
This month we’ve seen several vulnerabilities and security incidents that have left users affected. We know you're busy too, so we've sifted through the noise to bring you the real game-changers.
Here are our top picks!
## 🐞 High Profile Vulnerabilities
Adobe ColdFusion RCE vulnerability exploited in-the-wild
CVE-2023-26360 is a critical vulnerability in Adobe ColdFusion that was published in March 2023. This vulnerability could allow an attacker to execute arbitrary code on the remote server in the context of the current user. On December 5, 2023, CISA announced that threat actors were actively exploiting this vulnerability in order to gain initial access to government-owned servers. Customers should update Adobe ColdFusion to the latest version.
According to Wiz data, less than 1% o
Checkpoint
25th December – Threat Intelligence Report
blogs_checkpoint·2023-12-25·CVSS 7.5
CVE-2023-4966 [HIGH] 25th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 25th December, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Australia’s largest non-profit healthcare provider, St. Vincent’s Health Australia, experienced a cyberattack resulting in data theft from its networks. Vincent’s operates public and private hospitals, as well as elderly care facilities across New South Wales, Victoria, and Queensland, employing over 20,000 staff.
Xfin
Bleepingcomputer
Google fixes 8th Chrome zero-day exploited in attacks this year
blogs_bleepingcomputer·2023-12-20·CVSS 8.8
[HIGH] Google fixes 8th Chrome zero-day exploited in attacks this year
## Google fixes 8th Chrome zero-day exploited in attacks this year
## Sergiu Gatlan
The bug was discovered and reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group (TAG), a collective of security experts whose primary goal is to defend Google customers from state-sponsored attacks.
Google's Threat Analysis Group (TAG) frequently discovers zero-day bugs exploited by government-sponsored threat actors in targeted attacks aiming to deploy spyware on the devices of high-risk individuals, including opposition politicians, dissidents, and journalists.
Even though the security update could take days or weeks to reach all users, according to Google, it was available immediately when BleepingComputer checked for updates earlier today.
Individuals who prefer not t
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.htmlhttps://crbug.com/1513170https://lists.fedoraproject.org/archives/list/[email protected]/message/6M6AJDHUL6EDPURWQXGLUFJNDE7SOJT3/https://lists.fedoraproject.org/archives/list/[email protected]/message/U6JL4VHZMHFGEGQYTF74533ZNRWMCMMR/https://security.gentoo.org/glsa/202401-34https://www.debian.org/security/2023/dsa-5585https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.htmlhttps://crbug.com/1513170https://lists.fedoraproject.org/archives/list/[email protected]/message/6M6AJDHUL6EDPURWQXGLUFJNDE7SOJT3/https://lists.fedoraproject.org/archives/list/[email protected]/message/U6JL4VHZMHFGEGQYTF74533ZNRWMCMMR/https://security.gentoo.org/glsa/202401-34https://www.debian.org/security/2023/dsa-5585https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7024
2023-12-21
Published
2024-01-02
Added to CISA KEV
Exploited in the wild