CVE-2023-6702
Published: 14 December 2023
Summary
CVE-2023-6702 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-6702 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 120.0.6099.109. The flaw, tracked under CWE-843, can result in heap corruption when processing specially crafted input and carries a CVSS 3.1 base score of 8.8.
A remote attacker can exploit the issue by persuading a user to visit a malicious HTML page, after which successful exploitation may allow arbitrary code execution with the privileges of the Chrome process. The attack requires no authentication and only user interaction in the form of page visitation.
Chrome stable channel updates released on 12 December 2023 upgraded the affected component to version 120.0.6099.109, and downstream distributions such as Fedora and Gentoo issued corresponding package updates to address the same defect.
EPSS scores for the CVE have remained near 0.58 since disclosure, indicating sustained but not sharply increasing exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58923
Vulnerability details
Type confusion in V8 in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in V8 JavaScript engine enables heap corruption for remote code execution via crafted HTML page, facilitating Exploitation for Client Execution in browsers.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.