CVE-2023-3728 – This vulnerability is a use-after-free memory c... (How to Fix)

Q: What is the severity of CVE-2023-3728?

CVE-2023-3728 has a CVSS score of 8.8 (HIGH). This vulnerability is a use-after-free memory corruption flaw in Chrome's WebRTC component that allows remote attackers to potentially execute arbitrary code or cause denial of service. It affects all users running vulnerable versions of Google Chrome and Chromium-based browsers. Attackers can exploit this by tricking users into visiting a malicious webpage.

📋 TL;DR

This vulnerability is a use-after-free memory corruption flaw in Chrome's WebRTC component that allows remote attackers to potentially execute arbitrary code or cause denial of service. It affects all users running vulnerable versions of Google Chrome and Chromium-based browsers. Attackers can exploit this by tricking users into visiting a malicious webpage.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: Versions prior to 115.0.5790.98

Operating Systems: Windows, macOS, Linux, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome configurations with WebRTC enabled are vulnerable. WebRTC is enabled by default.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash/denial of service or limited code execution within browser sandbox.

🟢

If Mitigated

Browser crash only, with no data compromise if sandbox holds.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites without user interaction beyond visiting page.

🏢 Internal Only: MEDIUM - Requires user to visit attacker-controlled internal page or phishing link.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Use-after-free vulnerabilities in browser engines are frequently exploited in the wild, though no public exploit is confirmed for this specific CVE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 115.0.5790.98 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/07/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome menu > Help > About Google Chrome. 2. Chrome will automatically check for and apply updates. 3. Click 'Relaunch' when prompted to restart Chrome with the updated version.

🔧 Temporary Workarounds

Disable WebRTC

all

Disable WebRTC functionality to prevent exploitation, but breaks video/audio calling features.

chrome://flags/#disable-webrtc (set to Enabled)
Restart Chrome

🧯 If You Can't Patch

Use alternative browsers without WebRTC until patching is possible.
Implement network filtering to block known malicious domains and restrict browser usage to trusted sites only.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version via chrome://settings/help or 'About Google Chrome'. If version is below 115.0.5790.98, system is vulnerable.

Check Version:

google-chrome --version (Linux), 'Get-AppxPackage Microsoft.MicrosoftEdge' (Windows Edge), or chrome://version in browser

Verify Fix Applied:

Confirm Chrome version is 115.0.5790.98 or higher after update and restart.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with WebRTC-related modules
Unexpected browser process termination

Network Indicators:

Connections to suspicious domains followed by browser crashes
Unusual WebRTC traffic patterns

SIEM Query:

source="chrome_crash_logs" AND (process="chrome" OR module="webrtc") AND event="crash"

📊 Metadata

CVE ID: CVE-2023-3728

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: August 1, 2023

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2023/07/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1457421 Exploit,Issue Tracking,Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/
https://security.gentoo.org/glsa/202401-34
https://chromereleases.googleblog.com/2023/07/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1457421 Exploit,Issue Tracking,Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/
https://security.gentoo.org/glsa/202401-34

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3728, you might also want to check these: