CVE-2023-2935
Published: 30 May 2023
Summary
CVE-2023-2935 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-2935 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 114.0.5735.90. The flaw, assigned CWE-843, permits heap corruption when a specially crafted HTML page is processed, carrying a CVSS 3.1 base score of 8.8 and a Chromium security severity rating of High.
A remote attacker can trigger the issue by convincing a user to visit a malicious web page, after which successful exploitation may allow arbitrary code execution with the privileges of the Chrome process. The attack requires no authentication and can be delivered over the network with only user interaction via the browser.
Chrome release notes and downstream advisories such as Gentoo GLSA-202311-11 and GLSA-202401-34 direct users to apply the stable-channel update that resolves the defect in V8. The referenced proof-of-concept on Packet Storm demonstrates the type-confusion primitive but does not indicate widespread in-the-wild exploitation; EPSS scores remained low, peaking near 0.10 before receding.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34381
Vulnerability details
Type Confusion in V8 in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.