CVE-2023-3079
Published: 05 June 2023
Summary
CVE-2023-3079 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 17.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
Type confusion in the V8 JavaScript engine of Google Chrome prior to version 114.0.5735.110 constitutes the vulnerability, assigned CVE-2023-3079 with CWE-843. The flaw permits heap corruption when a victim renders a specially crafted HTML page, carrying a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
A remote attacker can trigger the issue by persuading a user to visit a malicious web page, after which successful exploitation may allow arbitrary code execution within the renderer process. Public proof-of-concept material on PacketStorm demonstrates both the type confusion primitive and a follow-on sandbox escape chain.
Chrome stable channel updates released on 5 June 2023 upgraded V8 to a corrected version; administrators are advised to deploy 114.0.5735.110 or later, and Fedora package maintainers issued corresponding updates to affected Linux distributions.
EPSS for the CVE rose sharply from a low baseline to a peak of 0.3477 on 10 January 2025 before receding to the current value of 0.0171, indicating that exploitation interest materialized well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-43770
Vulnerability details
Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 07 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that removes the type-confusion code path in V8.
Restricts or monitors execution of mobile code (JavaScript) delivered via web pages, limiting the attack vector used to trigger the V8 flaw.
Deploys malicious-code detection mechanisms that can block or alert on crafted HTML pages exploiting the V8 type confusion.