--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'High Severity Vulnerability in Google Chrome' number: '2023-100' version: '1.1' original_date: 'December 20, 2023' date: 'December 22, 2023' --- _History:_ * _21/12/2023 --- v1.0 -- Initial publication_ * _22/12/2023 --- v1.1 -- Add affected products_ # Summary On December 20, 2023, Google released an advisory regarding a new high severity vulnerability in its web browser [1]. Google is aware that an exploit for this vulnerability exists in the wild. It is recommended updating as soon as possible. # Technical Details The vulnerability `CVE-2023-7024` is caused by a heap buffer overflow in the WebRTC component. The flaw was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group on 2023-12-19 and fixed in just one day. The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm [2]. Google has not shared further details about the vulnerability, stating that: >Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. # Affected Products This vulnerability affects Google Chrome versions below 120.0.6099.129 for Mac, Linux, and versions below 120.0.6099.129/130 for Windows. **[UPDATE]** This vulnerability also affects Chromium-based web browser such as Microsoft Edge [3], Brave, Opera, and Vivaldi. # Recommendations It is recommended updating as soon as possible. # References [1] [2] [3]