CVE-2023-4762
Published: 05 September 2023
Summary
CVE-2023-4762 is a high-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
Type Confusion in the V8 JavaScript engine affected Google Chrome versions prior to 116.0.5845.179. The flaw, assigned CWE-843, carried a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
A remote attacker could exploit the issue by serving a specially crafted HTML page; successful exploitation would allow arbitrary code execution in the context of the browser process after the victim visits the page.
The referenced Chrome stable-channel update and subsequent Fedora package advisories direct users to upgrade to version 116.0.5845.179 or later to eliminate the vulnerability.
The EPSS probability rose from a low post-disclosure baseline to a peak of 0.8264 on 2024-09-11 before receding to the current value of 0.5580, indicating that exploitation interest emerged more than a year after the initial publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54609
Vulnerability details
Type Confusion in V8 in Google Chrome prior to 116.0.5845.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 06 February 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor-supplied patch that eliminates the type-confusion flaw in V8 before arbitrary code execution can occur.
Enforces configuration settings such as mandatory auto-update policies or approved browser versions that block use of the vulnerable Chrome build.
Requires continuous vulnerability scanning to identify systems running Chrome versions prior to 116.0.5845.179 that remain susceptible to the crafted HTML exploit.