Login Sign Up

CVE-2023-2457

8.8 HIGH

📋 TL;DR

This vulnerability allows a remote attacker to trigger an out-of-bounds write in ChromeOS Audio Server by crafting a malicious audio file, potentially leading to heap corruption. It affects Google Chrome on ChromeOS devices running versions prior to 113.0.5672.114. Attackers could exploit this to execute arbitrary code or cause system crashes.

💻 Affected Systems

Products:
  • Google Chrome on ChromeOS
Versions: All versions prior to 113.0.5672.114
Operating Systems: ChromeOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects ChromeOS devices; other Chrome browsers on different OSes are not affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attacker to install malware, steal data, or pivot to other systems.

🟠

Likely Case

System instability, crashes, or denial of service through heap corruption; potential for limited code execution in sandboxed context.

🟢

If Mitigated

No impact if patched; limited to denial of service if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction to open a crafted audio file; no public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 113.0.5672.114 or later

Vendor Advisory: https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-chromeos.html

Restart Required: Yes

Instructions:

1. Open ChromeOS settings. 2. Navigate to 'About ChromeOS'. 3. Click 'Check for updates'. 4. Install any available updates. 5. Restart the device when prompted.

🔧 Temporary Workarounds

Disable automatic audio file processing

all

Prevent automatic opening of audio files from untrusted sources.

Use network filtering

all

Block suspicious audio file downloads at network perimeter.

🧯 If You Can't Patch

  • Isolate affected ChromeOS devices from critical networks and internet access.
  • Implement application allowlisting to block execution of untrusted audio files.

🔍 How to Verify

Check if Vulnerable:

Check ChromeOS version in settings: Settings > About ChromeOS > Detailed build information.

Check Version:

cat /etc/lsb-release

Verify Fix Applied:

Confirm ChromeOS version is 113.0.5672.114 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • ChromeOS crash reports related to audio server (crashes in 'cras' service)
  • Unusual audio file processing events in system logs

Network Indicators:

  • Unexpected downloads of audio files from untrusted sources
  • Network traffic spikes to/from ChromeOS devices

SIEM Query:

source="chromeos" AND (event="crash" AND process="audio_server" OR file_type="audio" AND action="download")

📊 Metadata

CVE ID: CVE-2023-2457
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: May 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2457, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)