CVE-2023-7024

What is WebRTC?

WebRTC (Web Real-Time Communication) is an open-source project and browser API standard that enables peer-to-peer audio, video, and data sharing directly in the browser without plugins — used by video conferencing (Google Meet, Zoom Web, Microsoft Teams Web), voice calling applications, and real-time collaboration tools. WebRTC is built into Chromium and therefore present in Google Chrome, Microsoft Edge, Brave, and all Chromium-based browsers. Because WebRTC processes network-sourced media data (audio/video packets, data channel payloads) from potentially untrusted peers, vulnerabilities in its codec or protocol parsing code represent an attractive browser exploitation target: an attacker can craft a malicious WebRTC peer connection or media stream that triggers the vulnerability in the victim's browser.

Overview

CVE-2023-7024 is a zero-day heap buffer overflow vulnerability in the WebRTC component of Google Chromium, enabling remote code execution via a crafted HTML page. Google patched it on December 20, 2023 in Chrome 120.0.6099.129/130, confirming active in-the-wild exploitation. It was the eighth Chrome zero-day patched in 2023 — a year marked by an unusually high number of Chrome zero-days, most attributed to commercial spyware vendors and nation-state actors. As WebRTC is a shared open-source component used across all Chromium-based browsers, the vulnerability affects not only Chrome but Microsoft Edge, Brave, and other Chromium derivatives.

Affected Versions

Technical Details

CWE-787 (Out-of-bounds Write). WebRTC's media processing pipeline handles audio and video data received from remote peers, including codec decoding, audio mixing, and video frame processing. A heap buffer overflow in WebRTC's handling of crafted media data allows an attacker to write past the end of a heap buffer into adjacent memory. By controlling the content of the overwritten memory (through careful heap grooming), an attacker can corrupt internal data structures, overwrite function pointers, or achieve arbitrary code execution within the Chrome renderer process.

The User Interaction: Required reflects the need for the victim to visit a malicious webpage or open a malicious document that initiates a WebRTC connection or processes crafted media content. In practice, this requires only a single click on a malicious link. Unlike some WebRTC vulnerabilities that require the victim to initiate a call, a passive malicious page can initiate a WebRTC peer connection or play crafted media to trigger the vulnerability.

The S:U (Scope Unchanged) indicates this is a renderer process compromise rather than a sandbox escape — a second vulnerability would be needed for full OS-level code execution. In commercial exploit chains, such vulnerabilities are chained with privilege escalation or sandbox escape bugs.

Discovery

Reported to Google's Chrome security team. Google acknowledged in-the-wild exploitation in the December 20 advisory. The speed of the zero-day fix (consistent with Google's rapid response protocol for in-the-wild Chrome zero-days) and the KEV addition indicate active spyware or nation-state exploitation at the time of the patch.

Exploitation Context

Chrome zero-days in 2023 were disproportionately attributed to commercial mobile spyware vendors (NSO Group, Intellexa, Variston) and sophisticated nation-state actors. CVE-2023-7024 follows the pattern of the other 2023 Chrome zero-days (CVE-2023-2033, CVE-2023-2136, CVE-2023-3079, CVE-2023-4762, CVE-2023-5217, CVE-2023-6345) — being discovered while actively used in targeted exploitation campaigns. The December disclosure timing (the last Chrome zero-day of a record year) underscores the sustained attacker focus on browser-based exploitation as the primary vector for targeted compromise.

Remediation

1. Update Google Chrome to version 120.0.6099.129 or later immediately — Chrome's built-in auto-updater handles this for most users (Menu → Help → About Google Chrome, then restart).
2. Apply updates to all Chromium-based browsers (Microsoft Edge, Brave, Opera, etc.) — they share the WebRTC library and require independent updates from their respective vendors.
3. Restart Chrome after updating — the update does not take effect until Chrome relaunches.
4. For enterprise environments: enforce Chrome auto-update policies via Group Policy or Chrome Browser Cloud Management to minimize the patch window.
5. Consider enabling Chrome's Site Isolation feature if not already enabled — it limits the impact of renderer compromises by preventing cross-origin memory access.