cbcvebase.
CVE-2023-7024
published 2023-12-21

CVE-2023-7024: Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…

PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-23
Exploited in the wild
EPSS
7.36%
93.6th percentile
Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected

13 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 120.0.6099.129-1~deb11u1120.0.6099.129-1~deb11u1
chromiumchromium>= 0 < 120.0.6099.129-1~deb12u1120.0.6099.129-1~deb12u1
chromiumchromium>= 0 < 120.0.6099.129-1120.0.6099.129-1
chromiumchromium>= 0 < 120.0.6099.129-1120.0.6099.129-1
debianchromium< chromium 120.0.6099.129-1~deb12u1 (bookworm)chromium 120.0.6099.129-1~deb12u1 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 120.0.6099.129120.0.6099.129
googlechrome>= 120.0.6099.129 < 120.0.6099.129120.0.6099.129
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2023-7024 is a heap buffer overflow in WebRTC (real-time communication component) in Google Chrome; exploit exists in the wild per Google TAG — monitor for exploitation of WebRTC heap corruption via crafted HTML pages
  • Any browser using WebRTC (not just Chrome) may be impacted — broaden detection scope beyond Chrome to other Chromium-based browsers
  • ·CISA KEV remediation deadline was 2024-01-23 for federal agencies; any unpatched Chrome/Chromium-based browser prior to 120.0.6099.129 remains vulnerable

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.