Cyber Resilience

CVE-2018-17463

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 November 2018

Published
14 November 2018
Modified
24 October 2025
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9220 99.7th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-17463 is a high-severity an unspecified weakness vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability is an incorrect side effect annotation in the V8 JavaScript engine within Google Chrome versions prior to 70.0.3538.64. This flaw resides in the handling of object operations that can lead to type confusion during just-in-time compilation and optimization.

A remote attacker can exploit the issue by serving a specially crafted HTML page to a victim. Successful exploitation grants the ability to execute arbitrary code within the renderer sandbox, with the CVSS vector reflecting network attack vector, low complexity, no required privileges, and required user interaction.

Chrome stable channel updates and corresponding Red Hat errata advise immediate upgrade to version 70.0.3538.64 or later to address the defect. Public references include a detailed Chromium bug report and a proof-of-concept exploit targeting Chrome 67 through 69.

EU & UK References

Vulnerability details

Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 70.0.3538.67
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0
debian
debian linux
9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Chrome 70.0.3538.64 patch that corrects the V8 side-effect annotation flaw.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and security controls for mobile code (JavaScript) that can limit exposure to the crafted HTML exploit.

preventdetect

Deploys malicious-code protection mechanisms that can block or alert on renderer exploitation attempts via crafted web content.

References