CVE-2023-6510 – This is a use-after-free vulnerability in Googl... (How to Fix)

Q: What is the severity of CVE-2023-6510?

CVE-2023-6510 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Google Chrome's Media Capture component that could allow heap corruption. Attackers can exploit it by tricking users into specific UI interactions. All Chrome users prior to version 120.0.6099.62 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's Media Capture component that could allow heap corruption. Attackers can exploit it by tricking users into specific UI interactions. All Chrome users prior to version 120.0.6099.62 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 120.0.6099.62

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable; extensions or security settings don't mitigate this.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Browser crash or denial of service; potential for limited code execution in sandboxed context.

🟢

If Mitigated

No impact if patched; Chrome's sandbox may limit damage if exploited.

🌐 Internet-Facing: HIGH - Attackers can host malicious content on websites accessible to users.

🏢 Internal Only: MEDIUM - Requires user interaction; internal threats could exploit via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires user interaction with specific UI elements; no public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 120.0.6099.62 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome menu > Help > About Google Chrome. 2. Chrome will automatically check for updates and install version 120.0.6099.62 or later. 3. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable Media Capture

all

Prevent Chrome from accessing camera/microphone to block the vulnerable component

chrome://settings/content/camera
chrome://settings/content/microphone

Use Browser Sandboxing

linux/windows

Run Chrome in isolated environment to limit potential damage

# Linux: firejail google-chrome
# Windows: Use Windows Sandbox

🧯 If You Can't Patch

Use alternative browser until patching possible
Implement network filtering to block malicious sites and restrict browser usage

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in menu > Help > About Google Chrome. If version is below 120.0.6099.62, system is vulnerable.

Check Version:

google-chrome --version (Linux) or "C:\Program Files\Google\Chrome\Application\chrome.exe" --version (Windows)

Verify Fix Applied:

Confirm Chrome version is 120.0.6099.62 or higher in About Google Chrome page.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with media capture components
Unexpected camera/microphone access attempts

Network Indicators:

Connections to suspicious sites followed by browser crashes
Unusual media capture requests

SIEM Query:

source="chrome" AND (event="crash" OR event="media_access") AND version<"120.0.6099.62"

📊 Metadata

CVE ID: CVE-2023-6510

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 6, 2023

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1480152 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMHY76AWPA46MAFXPWDGJX6FEGXZVR5Z/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RI3UHCTFH6KWAJGDZ2TOLT6VHKW53WCC/ Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202401-34 Third Party Advisory
https://www.debian.org/security/2023/dsa-5573 Third Party Advisory
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1480152 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMHY76AWPA46MAFXPWDGJX6FEGXZVR5Z/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RI3UHCTFH6KWAJGDZ2TOLT6VHKW53WCC/ Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202401-34 Third Party Advisory
https://www.debian.org/security/2023/dsa-5573 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6510, you might also want to check these: