Cyber Resilience

CVE-2023-4355

HighPublic PoC

Published: 15 August 2023

Published
15 August 2023
Modified
05 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4066 97.5th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4355 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Debian Debian Linux. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is an out-of-bounds memory access flaw (CWE-787) in the V8 JavaScript engine within Google Chrome versions prior to 116.0.5845.96. It can result in heap corruption when processing a specially crafted HTML page, carrying a CVSS 3.1 score of 8.8.

A remote attacker can trigger the issue by causing a victim to visit a malicious web page, potentially achieving arbitrary code execution or other high-impact effects on confidentiality, integrity, and availability without needing user privileges beyond normal browser interaction.

Chrome stable channel updates and downstream distributions such as Fedora have addressed the flaw by advancing to version 116.0.5845.96 or later; the associated Chromium bug report and distribution advisories emphasize prompt application of these patches as the primary mitigation.

A proof-of-concept referencing dangling FixedArray pointers has been published, and the EPSS score has remained steady at its observed peak of 0.3928.

EU & UK References

Vulnerability details

Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 116.0.5845.96
debian
debian linux
11.0, 12.0
fedoraproject
fedora
37, 38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References