Cyber Resilience

CVE-2018-6065

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 November 2018

Published
14 November 2018
Modified
24 October 2025
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8955 99.6th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-6065 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability CVE-2018-6065 is an integer overflow (CWE-190) in the V8 JavaScript engine in Google Chrome versions prior to 65.0.3325.146. It occurs specifically when computing the required allocation size for instantiating a new JavaScript object and is rated 8.8 on CVSS 3.1 with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

A remote attacker can exploit the flaw by delivering a crafted HTML page that triggers the integer overflow, resulting in heap corruption that may be leveraged for arbitrary code execution or other impacts on the affected browser process.

Vendor references, including the Chrome stable channel update, Red Hat RHSA-2018:0484, and Debian DSA-4182, indicate that the issue is resolved by upgrading to Chrome 65.0.3325.146 or later. The associated Chromium bug report provides additional technical context on the root cause in V8 allocation logic.

EU & UK References

Vulnerability details

Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 65.0.3325.146
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0
debian
debian linux
9.0
mi
mi6 browser
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the integer-overflow flaw in V8.

SC-18 Mobile Code partial match
prevent

Provides policy and technical controls over mobile code (JavaScript) that can be used to block or sandbox execution of pages that trigger the V8 allocation bug.

preventdetect

Requires integrity verification of browser binaries and libraries, ensuring only patched versions of Chrome are executed.

References