Google has released a patch to address a high-severity vulnerability in the Chrome browser. Tracked as CVE-2023-7024, the vulnerability is being exploited in the wild.
Acknowledging the active exploitation of the vulnerability, CISA has added it to the Known Exploited Vulnerabilities Catalog. CISA has recommended users to patch the flaw before Jan 23, 2024.
Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) have discovered the high-severity vulnerability in Google Chrome.
CVE-2023-7024 is the eighth zero-day vulnerability fixed by Google this year. The following are the other seven zero-days:
- CVE-2023-2033 – Type confusion in V8
- CVE-2023-2136 – Integer overflow in Skia
- CVE-2023-3079 – Type confusion in V8
- CVE-2023-4762 – Type confusion in V8
- CVE-2023-4863 – Heap buffer overflow in WebP
- CVE-2023-5217 – Heap buffer overflow in vp8 encoding in libvpx
- CVE-2023-6345 – Integer overflow in Skia
Google Chrome versions before 120.0.6099.129 are affected by this vulnerability.
Customers are requested to upgrade to the latest stable channel version 120.0.6099.129 for Mac and Linux and 120.0.6099.129/130 for Windows.
For more information, please refer to the Google Chrome Release Page.
Microsoft has released the Edge Stable Channel (Version 120.0.2210.91) to address CVE-2023-7024, which the Chromium team has reported as being exploited in the wild.
Qualys customers can scan their devices with QIDs 379169 and 379174 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.