CVE-2023-6706 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2023-6706?

CVE-2023-6706 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Chrome's FedCM (Federated Credential Management) component that allows heap corruption. Attackers can exploit it by tricking users into interacting with malicious UI elements on crafted web pages. All Chrome users prior to version 120.0.6099.109 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's FedCM (Federated Credential Management) component that allows heap corruption. Attackers can exploit it by tricking users into interacting with malicious UI elements on crafted web pages. All Chrome users prior to version 120.0.6099.109 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 120.0.6099.109

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. FedCM is enabled by default for federated identity features.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Browser crash (denial of service) or limited information disclosure from memory corruption.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires user interaction with malicious UI elements. No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 120.0.6099.109 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable FedCM

all

Temporarily disable Federated Credential Management feature via Chrome flags

chrome://flags/#fedcm
Set to 'Disabled'

Use Chrome sandboxing

all

Ensure Chrome sandbox is enabled to limit potential impact

chrome://sandbox/
Verify sandbox status is 'Enabled'

🧯 If You Can't Patch

Restrict access to untrusted websites using web filtering or proxy controls
Implement application allowlisting to prevent unauthorized browser execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 120.0.6099.109, system is vulnerable.

Check Version:

chrome://version/ or 'google-chrome --version' on Linux

Verify Fix Applied:

Confirm Chrome version is 120.0.6099.109 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with FedCM-related stack traces
Unexpected browser process termination events

Network Indicators:

Requests to suspicious domains with FedCM-related parameters
Unusual federated authentication attempts

SIEM Query:

source="chrome_logs" AND (event="crash" OR event="process_termination") AND process="chrome"

📊 Metadata

CVE ID: CVE-2023-6706

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 14, 2023

Last Updated: February 25, 2026

🔗 References

https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html Release Notes,Vendor Advisory
https://crbug.com/1500921 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/
https://security.gentoo.org/glsa/202401-34
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html Release Notes,Vendor Advisory
https://crbug.com/1500921 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/
https://security.gentoo.org/glsa/202401-34

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6706, you might also want to check these: