Cyber Resilience

CVE-2022-3723

HighCISA KEVActive ExploitationEUVD Exploited

Published: 01 November 2022

Published
01 November 2022
Modified
24 October 2025
KEV Added
28 October 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0051 66.7th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3723 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 33.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

The vulnerability is a type confusion flaw, tracked as CWE-843, in the V8 JavaScript engine of Google Chrome versions prior to 107.0.5304.87. It can result in heap corruption when processing specially crafted input and carries a CVSS 3.1 base score of 8.8.

A remote attacker can exploit the issue by serving a malicious HTML page to a victim who visits it in an affected browser. Successful exploitation may allow the attacker to corrupt memory and achieve impacts consistent with the high severity rating, including potential code execution within the renderer process.

Chrome release notes and distribution advisories such as Gentoo GLSA-202305-10 direct users to upgrade immediately to version 107.0.5304.87 or later; the corresponding Chromium bug tracker entry confirms the fix was included in the October 2022 stable channel update.

The EPSS probability for CVE-2022-3723 rose from low values at disclosure to a peak of 0.0177 on 2024-06-29 before receding to the current 0.0051, indicating a notable increase in exploitation interest more than eighteen months after publication.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
28 October 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 107.0.5304.87

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that eliminates the type-confusion flaw in V8.

prevent

Enforces malicious-code protections that can block or sandbox the crafted HTML/JS payload used to trigger the heap corruption.

detect

Requires scanning to identify unpatched Chrome instances vulnerable to CVE-2022-3723 before exploitation occurs.

References