CVE-2023-2033
Published: 14 April 2023
Summary
CVE-2023-2033 is a high-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
Type confusion in the V8 JavaScript engine of Google Chrome prior to version 112.0.5615.121 constitutes the vulnerability tracked as CVE-2023-2033. The flaw, assigned CWE-843, permits heap corruption when a victim visits a specially crafted HTML page, carrying a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
A remote attacker can trigger the issue without authentication by serving malicious web content that the browser renders, thereby achieving arbitrary code execution or browser process compromise through the resulting memory corruption.
Chrome stable channel updates released on 14 April 2023 advise immediate upgrade to 112.0.5615.121 or later; downstream distributions such as Fedora have published corresponding package advisories that direct users to apply the patched Chrome builds.
EPSS scores for the CVE rose from lower values to a peak of 0.2870 on 2026-03-15 before receding to the current 0.2278, indicating post-disclosure exploitation interest that later moderated.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33560
Vulnerability details
Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 17 April 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (Chrome 112.0.5615.121) that eliminates the type-confusion flaw in V8.
Restricts or sandbox-limits mobile code (JavaScript) that an attacker must deliver via a crafted HTML page to trigger the V8 flaw.
Employs memory-protection techniques (DEP, ASLR, etc.) that can block or contain the heap corruption resulting from successful type confusion.