Google discovers another Chrome zero-day exploited in the wild
Google Chrome has released an emergency security fix for a zero-day flaw that has been exploited in the wild.
This vulnerability, tracked as CVE-2023-7024, affects the desktop versions of the browser on Mac, Linux and Windows.
It is the eighth actively exploited zero-day in Chrome discovered since the start of 2023. Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group first reported it on December 19.
Not many details are available about the flaw, except that it was found in WebRTC, an open-source project that provides web browsers and mobile applications with real-time communication via simple application programming interfaces (APIs).
The security update fixes a potential heap buffer overflow in WebRTC. Such flaws can occur in a specific part of the memory allocation of a computer program.
Google hasn't provided any details about specific attacks that exploit the vulnerability. It is also not clear if any users were directly affected by its exploitation. The CVSS (сommon vulnerability scoring system) assessing the severity of this bug is not yet available.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said.
Chrome vulnerabilities often rise to a level of severity that prompts Google to issue a patch as soon as one is ready, instead of waiting for the next regular update cycle.
Earlier in November, Google released an update to address a severe vulnerability that affected 2D graphics-rendering code known as Skia. This bug was also exploited in the wild.
In October, the company issued fixes for a bug in an open-source tool known as libvpx, used in video encoding.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.