CVE-2023-6704 Overview
CVE-2023-6704 is a use after free vulnerability in the libavif component of Google Chrome. This memory corruption flaw exists in versions prior to 120.0.6099.109 and could allow a remote attacker to potentially exploit heap corruption via a crafted image file. The vulnerability was assigned a high severity rating by the Chromium security team.
Critical Impact
Remote attackers can exploit this use after free vulnerability to achieve heap corruption by delivering a specially crafted AVIF image file to victims, potentially leading to arbitrary code execution in the context of the browser.
Affected Products
- Google Chrome versions prior to 120.0.6099.109
- Chromium-based browsers using vulnerable libavif library
- Fedora and Gentoo Linux distributions with unpatched Chrome packages
Discovery Timeline
- December 14, 2023 - CVE-2023-6704 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-6704
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a critical memory corruption class where an application continues to reference memory after it has been freed. In the context of libavif within Google Chrome, the flaw occurs during the processing of AVIF (AV1 Image File Format) images.
When Chrome processes a maliciously crafted AVIF image, the libavif library incorrectly handles memory deallocation during image parsing. The freed memory can subsequently be reallocated for other purposes, but the original reference remains active. When the browser attempts to use this stale pointer, it accesses memory that may now contain attacker-controlled data.
The attack requires user interaction, specifically loading a malicious image file through a web page or other content. Successful exploitation could lead to heap corruption, which attackers may leverage to execute arbitrary code within the Chrome renderer process sandbox.
Root Cause
The root cause of CVE-2023-6704 lies in improper memory management within the libavif image decoding library. Specifically, the code fails to properly invalidate or nullify pointers after freeing associated memory resources during AVIF image processing. This creates a window where subsequent operations can dereference the freed memory, leading to heap corruption when the memory is reused.
Attack Vector
The attack vector for this vulnerability is network-based, requiring user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious AVIF image file designed to trigger the use after free condition
- Hosting the malicious image on a web server or embedding it in web content
- Enticing a victim to visit a malicious webpage or open content containing the crafted image
- When Chrome's libavif library processes the image, the heap corruption occurs
- The attacker can potentially leverage this corruption for code execution within the sandboxed renderer process
The vulnerability can be exploited without any prior authentication or special privileges, though it does require the victim to interact with malicious content.
Detection Methods for CVE-2023-6704
Indicators of Compromise
- Unexpected Chrome renderer process crashes when viewing web pages with AVIF images
- Memory access violations or heap corruption errors in Chrome crash reports
- Unusual network requests for AVIF image files from untrusted domains
- Chrome stability issues coinciding with visits to suspicious websites
Detection Strategies
- Monitor Chrome version deployments across endpoints to identify instances running versions prior to 120.0.6099.109
- Implement endpoint detection rules to flag unusual Chrome renderer process behavior or crashes
- Use web proxy or firewall rules to log and analyze AVIF file downloads from untrusted sources
- Deploy browser extension policies to restrict automatic loading of images from unknown domains
Monitoring Recommendations
- Enable Chrome crash reporting and monitor for libavif-related crashes
- Configure SIEM rules to correlate Chrome crashes with recent browsing activity involving AVIF images
- Monitor for exploitation attempts through web application firewalls capable of deep content inspection
- Track Chrome version compliance across the organization using endpoint management tools
How to Mitigate CVE-2023-6704
Immediate Actions Required
- Update Google Chrome to version 120.0.6099.109 or later immediately
- Enable automatic Chrome updates to ensure timely security patch deployment
- Audit all Chromium-based browsers and applications in your environment for the vulnerable version
- Consider implementing browser isolation for high-risk users until patching is complete
Patch Information
Google has addressed this vulnerability in Chrome version 120.0.6099.109. The fix was announced in the Google Chrome Stable Channel Update. Additional security advisories have been released by downstream distributions including Fedora and Gentoo.
Organizations should prioritize updating Chrome and any Chromium-based applications to the patched version. For technical details about the vulnerability, refer to Chromium Bug Report #1504792.
Workarounds
- If immediate patching is not possible, consider using alternative browsers temporarily for sensitive operations
- Implement network-level controls to block or filter AVIF image content from untrusted sources
- Deploy browser security policies to disable automatic image loading where operationally feasible
- Use browser isolation solutions to contain potential exploitation attempts
# Verify Chrome version on Linux/macOS
google-chrome --version
# Check if Chrome version is patched (should be >= 120.0.6099.109)
# For enterprise deployment, use Group Policy or MDM to enforce minimum version
# Example Chrome policy to enforce minimum version (JSON format for managed Chrome)
# "MinimumVersionRequired": "120.0.6099.109"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
