Cyber Resilience

CVE-2023-2935

HighPublic PoC

Published: 30 May 2023

Published
30 May 2023
Modified
05 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0926 92.9th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2935 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-2935 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 114.0.5735.90. The flaw, assigned CWE-843, permits heap corruption when a specially crafted HTML page is processed, carrying a CVSS 3.1 base score of 8.8 and a Chromium security severity rating of High.

A remote attacker can trigger the issue by convincing a user to visit a malicious web page, after which successful exploitation may allow arbitrary code execution with the privileges of the Chrome process. The attack requires no authentication and can be delivered over the network with only user interaction via the browser.

Chrome release notes and downstream advisories such as Gentoo GLSA-202311-11 and GLSA-202401-34 direct users to apply the stable-channel update that resolves the defect in V8. The referenced proof-of-concept on Packet Storm demonstrates the type-confusion primitive but does not indicate widespread in-the-wild exploitation; EPSS scores remained low, peaking near 0.10 before receding.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 114.0.5735.90

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References