Cyber Resilience

CVE-2023-6702

High

Published: 14 December 2023

Published
14 December 2023
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5795 98.2th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6702 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-6702 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 120.0.6099.109. The flaw, tracked under CWE-843, can result in heap corruption when processing specially crafted input and carries a CVSS 3.1 base score of 8.8.

A remote attacker can exploit the issue by persuading a user to visit a malicious HTML page, after which successful exploitation may allow arbitrary code execution with the privileges of the Chrome process. The attack requires no authentication and only user interaction in the form of page visitation.

Chrome stable channel updates released on 12 December 2023 upgraded the affected component to version 120.0.6099.109, and downstream distributions such as Fedora and Gentoo issued corresponding package updates to address the same defect.

EPSS scores for the CVE have remained near 0.58 since disclosure, indicating sustained but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Type confusion in V8 JavaScript engine enables heap corruption for remote code execution via crafted HTML page, facilitating Exploitation for Client Execution in browsers.

Affected Assets

google
chrome
≤ 120.0.6099.109
fedoraproject
fedora
38
microsoft
edge chromium
≤ 120.0.2210.77

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References