Cyber Resilience

CVE-2023-3079

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 June 2023

Published
05 June 2023
Modified
24 October 2025
KEV Added
07 June 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0171 82.8th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3079 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 17.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

Type confusion in the V8 JavaScript engine of Google Chrome prior to version 114.0.5735.110 constitutes the vulnerability, assigned CVE-2023-3079 with CWE-843. The flaw permits heap corruption when a victim renders a specially crafted HTML page, carrying a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

A remote attacker can trigger the issue by persuading a user to visit a malicious web page, after which successful exploitation may allow arbitrary code execution within the renderer process. Public proof-of-concept material on PacketStorm demonstrates both the type confusion primitive and a follow-on sandbox escape chain.

Chrome stable channel updates released on 5 June 2023 upgraded V8 to a corrected version; administrators are advised to deploy 114.0.5735.110 or later, and Fedora package maintainers issued corresponding updates to affected Linux distributions.

EPSS for the CVE rose sharply from a low baseline to a peak of 0.3477 on 10 January 2025 before receding to the current value of 0.0171, indicating that exploitation interest materialized well after initial disclosure.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
07 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 114.0.5735.110
fedoraproject
fedora
37, 38
debian
debian linux
11.0, 12.0
apple
macos
all versions
linux
linux kernel
all versions
couchbase
couchbase server
7.2.0 · ≤ 7.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that removes the type-confusion code path in V8.

SC-18 Mobile Code partial match
prevent

Restricts or monitors execution of mobile code (JavaScript) delivered via web pages, limiting the attack vector used to trigger the V8 flaw.

preventdetect

Deploys malicious-code detection mechanisms that can block or alert on crafted HTML pages exploiting the V8 type confusion.

References