CVE-2023-7024 Heap buffer overflow in WebRTC

HacGoogle Fixed CVE-2023-7024 Heap buffer overflow in WebRTC Vulnerability

Google has released an emergency patch for Chrome vulnerability CVE-2023-7024 on Wednesday (12/20/23). According to our security research, CVE-2023-7024 vulnerability was being actively exploited by hackers. Further reports verified that this was Chrome’s 8th known vulnerability this year.

What is CVE-2023-7024 Vulnerablity

This particular vulnerability is identified as CVE-2023-7024. It is a high-severity heap buffer overflow bug that compromises the WebRTC component of Chrome. WebRTC is an open-source free framework that provides web browsers and mobile applications with real-time audio and video communication.

CVE-2023-7024 Heap buffer overflow in WebRTC

Here’s how the bug works:

When the heap buffer encounters more data than its allocated capacity, data overflow occurs. In simple words, data starts to spill into its neighboring memory regions potentially overwriting unrelated data or control structures. It can cause severe malfunction or data breach scenarios.

CVE-2023-7024 Vulnerability Exploitation And Consequences

Furthermore, attackers can use CVE-2023-7024 vulnerability to insert malicious codes in the Chrome browser by creating a custom-designed WebRTC data stream. This special WebRTC will write too much data on the heap counter causing an overflow. Hackers can write certain malicious codes on the heap counter with other data. Once the heap buffer crosses its allocated capacity, malicious code will then overwrite the control structure allowing hackers to remotely access your browser.

CVE-2023-7024 is indeed a severe vulnerability. Once the hackers get remote access to the Chrome browser, they will be able to see your browsing history, most visited sites, and login credentials used in your browser. Furthermore, hackers can install malicious extensions in your system and may even download severe malware in your system.

About CVE-2023-7024 Vulnerability Discovery

In an advisory, the internet behemoth wrote, “Google knows about the CVE-2023-7024 vulnerability”. The security breach was discovered on December 19, just a day before the security patch was released.

Google itself or any other official security researchers have not disclosed any particular technical detail about the vulnerability or about the attackers compromising this vulnerability. However, It did mention that the vulnerability was reported to Google by Vlad Stolyarov and Clément Lecigne of the Threat Analysis Group (TAG) indicating that commercial monitoring software providers may be able to make use of it.

Recently, Google TAG researchers have discovered some other security flaws. Cyber attackers are reportedly exploiting these flaws activily. These flaws included a zero-day that compelled Google, Apple, and Mozilla (CVE-2023-4863) to release emergency patches and a Chrome vulnerability (CVE-2023-5217) fixed at the end of September.

In addition to CVE-2023-5217 and CVE-2023-4863, Google also fixed five other Chrome issues (CVE-2023-6345, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2023-2136) this year that were being exploited. CVE-2023-7024 is the eighth officially reported zero-day vulnerability in Chrome this year.

Important: Update Your Browser To Avoid Heap buffer overflow

Chrome users must update their browser to the latest version of Chrome. The latest version comes with the security patch for CVE-2023-7024 vulnerability. Google security patch comes with the latest version will ensure that attackers can’t exploit CVE-2023-7024 Heap buffer overflow in WebRTC in your browser. The latest version of Google Chrome also includes security patches for other seven vulnerabilities found this year.

About the author


Leave a Comment