Login Sign Up

CVE-2023-0932

8.8 HIGH

📋 TL;DR

This is a use-after-free vulnerability in WebRTC component of Google Chrome on Windows that could allow remote attackers to exploit heap corruption. Attackers can trigger this by convincing users to interact with malicious UI elements on crafted HTML pages. Affects Chrome users on Windows systems.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: Prior to 110.0.5481.177
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows versions of Chrome; other operating systems are not vulnerable

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure

🟢

If Mitigated

No impact if Chrome is updated to patched version or workarounds are implemented

🌐 Internet-Facing: HIGH - Exploitable via malicious websites without authentication
🏢 Internal Only: MEDIUM - Requires user interaction with malicious content

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires user interaction with specific UI elements; no public exploit code available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 110.0.5481.177 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/02/stable-channel-desktop-update_22.html

Restart Required: Yes

Instructions:

1. Open Chrome
2. Click three-dot menu → Help → About Google Chrome
3. Chrome will automatically check for and install updates
4. Click 'Relaunch' to restart Chrome with the update

🔧 Temporary Workarounds

Disable WebRTC

all

Temporarily disable WebRTC functionality to prevent exploitation

chrome://flags/#disable-webrtc
Set 'WebRTC' flag to 'Disabled'

Use alternative browser

all

Switch to non-Chromium browser until patch is applied

🧯 If You Can't Patch

  • Implement network filtering to block malicious websites
  • Use application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings → About Chrome; if version is below 110.0.5481.177, system is vulnerable

Check Version:

chrome://version/

Verify Fix Applied:

Confirm Chrome version is 110.0.5481.177 or higher in About Chrome

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports with WebRTC-related stack traces
  • Unexpected Chrome process termination

Network Indicators:

  • Traffic to suspicious domains with WebRTC components
  • Unusual WebRTC connection attempts

SIEM Query:

source="chrome_crash_reports" AND (process="chrome.exe" OR component="WebRTC")

📊 Metadata

CVE ID: CVE-2023-0932
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: February 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0932, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)