Google has rolled out a security update for its Chrome web browser to address a critical zero-day vulnerability that it says has been widely exploited.
This vulnerability has been assigned a CVE identifier CVE-2023-7024has been described as a stack-based buffer overflow bug in the WebRTC framework that can be exploited to cause program crashes or arbitrary code execution.
The vulnerability was discovered and reported on December 19, 2023 by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG).
No other details about the security flaw have been released to prevent further abuse, and Google acknowledged that “CVE-2023-7024 exists in the wild.”
Given that WebRTC is an open source project and is also supported by Mozilla Firefox and Apple Safari, it’s unclear whether the flaw will have any impact outside of Chrome and Chromium-based browsers.
This development marks the eighth actively exploited zero-day vulnerability in Chrome since the beginning of the year.
According to data compiled by Qualys, a total of 26,447 vulnerabilities have been disclosed so far in 2023, more than 1,500 more CVEs than the previous year, with 115 of them being exploited by threat actors and ransomware groups.
Remote code execution, security feature bypass, buffer manipulation, privilege escalation, and input validation and parsing flaws have become the most common types of vulnerabilities.
Users are recommended to upgrade to Chrome version 120.0.6099.129/130 on Windows and 120.0.6099.129 on macOS and Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply fixes when they become available.