Cyber Resilience

CVE-2023-4069

High

Published: 03 August 2023

Published
03 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0441 89.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4069 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a type confusion flaw (CWE-843) in the V8 JavaScript engine of Google Chrome versions prior to 115.0.5790.170. It received a CVSS 3.1 base score of 8.8 and was rated High severity by the Chromium project, with the root cause allowing heap corruption when processing specially crafted input.

A remote attacker can exploit the issue without authentication by persuading a user to visit a malicious HTML page, after which successful exploitation may permit arbitrary code execution within the renderer process with the associated confidentiality, integrity, and availability impacts.

Chrome stable channel updates and downstream advisories from Fedora and Gentoo direct users to upgrade to version 115.0.5790.170 or later; the referenced Chromium bug and distribution mailing lists contain the corresponding package updates.

The EPSS probability rose from a low baseline to a recorded peak of 0.0666 before receding to the current value of 0.0441, indicating modest post-disclosure exploitation interest.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 115.0.5790.170

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References