December 25th, 2023 - by Alisa Esage
WebRTC is a universal open source codec library for processing audio and video streaming, which is embedded in a wide variety of software products, especially in web browsers. Google just disclosed a zero-day vulnerability in WebRTC, which is being exploited in the wild to achieve remote code execution. No further technical details were provided, so I looked at the patch through my perspective of vulnerability research experience (without any testing or reproduction yet) to derive additional insights related to the bug's impact, mitigation, and re-exploitation potential.
Full patch for CVE-2023-7024
* Some software doesn't report security patch details, so (in)vulnerability could be established by looking at 1) release history, 2) source code diffs rather than by CVE mentions ↩ ** No product updates were recently reported by the vendor, while the project's code dependency graph strongly indicates inheritance of the specific bug from Chromium ↩