Cyber Resilience

CVE-2018-17480

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 December 2018

Published
11 December 2018
Modified
24 October 2025
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3044 96.8th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-17480 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

The vulnerability is an out-of-bounds write in the V8 JavaScript engine within Google Chrome versions prior to 71.0.3578.80. It stems from execution of user-supplied JavaScript during array deserialization and is tracked under CWE-787.

A remote attacker can exploit the flaw by serving a crafted HTML page to a victim, achieving arbitrary code execution inside the renderer sandbox with no user privileges required beyond visiting the page.

Advisories and patches, including the Chrome stable channel update, Red Hat RHSA-2018:3803, and Gentoo GLSA-201908-18, direct users to upgrade to Chrome 71.0.3578.80 or later to address the issue.

The CVSS 3.1 base score is 8.8 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

EU & UK References

Vulnerability details

Execution of user supplied Javascript during array deserialization leading to an out of bounds write in V8 in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 71.0.3578.80
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0
debian
debian linux
9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (Chrome 71.0.3578.80+) that eliminates the out-of-bounds write during array deserialization.

prevent

Enforces configuration settings that restrict use of unpatched browser versions known to contain the V8 flaw.

detect

Requires scanning to discover instances of Chrome < 71.0.3578.80 that remain vulnerable to the crafted-HTML exploit.

References