CVE-2023-4355
Published: 15 August 2023
Summary
CVE-2023-4355 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Debian Debian Linux. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is an out-of-bounds memory access flaw (CWE-787) in the V8 JavaScript engine within Google Chrome versions prior to 116.0.5845.96. It can result in heap corruption when processing a specially crafted HTML page, carrying a CVSS 3.1 score of 8.8.
A remote attacker can trigger the issue by causing a victim to visit a malicious web page, potentially achieving arbitrary code execution or other high-impact effects on confidentiality, integrity, and availability without needing user privileges beyond normal browser interaction.
Chrome stable channel updates and downstream distributions such as Fedora have addressed the flaw by advancing to version 116.0.5845.96 or later; the associated Chromium bug report and distribution advisories emphasize prompt application of these patches as the primary mitigation.
A proof-of-concept referencing dangling FixedArray pointers has been published, and the EPSS score has remained steady at its observed peak of 0.3928.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54219
Vulnerability details
Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.