Cyber Resilience

CVE-2023-2033

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 April 2023

Published
14 April 2023
Modified
24 October 2025
KEV Added
17 April 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2278 96.0th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2033 is a high-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

Type confusion in the V8 JavaScript engine of Google Chrome prior to version 112.0.5615.121 constitutes the vulnerability tracked as CVE-2023-2033. The flaw, assigned CWE-843, permits heap corruption when a victim visits a specially crafted HTML page, carrying a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

A remote attacker can trigger the issue without authentication by serving malicious web content that the browser renders, thereby achieving arbitrary code execution or browser process compromise through the resulting memory corruption.

Chrome stable channel updates released on 14 April 2023 advise immediate upgrade to 112.0.5615.121 or later; downstream distributions such as Fedora have published corresponding package advisories that direct users to apply the patched Chrome builds.

EPSS scores for the CVE rose from lower values to a peak of 0.2870 on 2026-03-15 before receding to the current 0.2278, indicating post-disclosure exploitation interest that later moderated.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
17 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 112.0.5615.121
debian
debian linux
11.0
fedoraproject
fedora
36, 37, 38
couchbase
couchbase server
7.2.0 · ≤ 7.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (Chrome 112.0.5615.121) that eliminates the type-confusion flaw in V8.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-limits mobile code (JavaScript) that an attacker must deliver via a crafted HTML page to trigger the V8 flaw.

prevent

Employs memory-protection techniques (DEP, ASLR, etc.) that can block or contain the heap corruption resulting from successful type confusion.

References