CVE-2022-3723
published 2022-11-01CVE-2022-3723: Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…
PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-11-18
Exploited in the wild
EPSS
6.75%
93.2th percentile
Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 107.0.5304.87-1~deb11u1 | 107.0.5304.87-1~deb11u1 |
| chromium | chromium | >= 0 < 107.0.5304.87-1 | 107.0.5304.87-1 |
| chromium | chromium | >= 0 < 107.0.5304.87-1 | 107.0.5304.87-1 |
| chromium | chromium | >= 0 < 107.0.5304.87-1 | 107.0.5304.87-1 |
| debian | chromium | < chromium 107.0.5304.87-1 (bookworm) | chromium 107.0.5304.87-1 (bookworm) |
| chrome | < 107.0.5304.87 | 107.0.5304.87 | |
| chrome | >= unspecified < 107.0.5304.87 | 107.0.5304.87 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2022-3723 is a type confusion vulnerability in the V8 JavaScript engine of Google Chrome prior to version 107.0.5304.87; exploit confirmed in the wild — detect unpatched Chrome versions below this threshold ↗
- →Exploitation vector is a crafted HTML page delivered remotely; monitor for suspicious renderer process crashes or heap corruption signals originating from V8/JavaScript engine activity in Chrome ↗
- →Google confirmed active in-the-wild exploitation of CVE-2022-3723; treat any Chrome version below 107.0.5304.87 as actively exploitable and prioritize detection/patching ↗
- →Microsoft Edge (Chromium-based) Stable channel version 107.0.1418.26 (based on Chromium 107.0.5304.87) is the first patched Edge build; flag Edge versions below this as vulnerable ↗
- →CVE-2022-3723 can lead to out-of-bounds memory access and arbitrary code execution via V8 type confusion; correlate Chrome/Edge renderer crashes with suspicious JavaScript execution for potential exploitation attempts ↗
- ·Google has not disclosed details on the nature or scale of in-the-wild attacks exploiting CVE-2022-3723; breadth of exploitation (targeted vs. widespread) is unknown ↗
- ·No public exploit code, hashes, C2 infrastructure, or specific attack payloads have been disclosed in any of the available sources for this CVE ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6jmv-jqhj-cg68: Type confusion in V8 in Google Chrome prior to 107
ghsa_unreviewed·2022-11-02
CVE-2022-3723 [HIGH] CWE-843 GHSA-6jmv-jqhj-cg68: Type confusion in V8 in Google Chrome prior to 107
Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)
OSV
CVE-2022-3723: Type confusion in V8 in Google Chrome prior to 107
osv·2022-11-01·CVSS 8.8
CVE-2022-3723 [HIGH] CVE-2022-3723: Type confusion in V8 in Google Chrome prior to 107
Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium V8 Type Confusion Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-3723 [HIGH] CWE-122 Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summary/2023/360_APT_Annual_Research_Report_2022.pdf; https://decoded.avast.io/threatrese
Project0
Project Zero RCA: CVE-2022-3723: Logic Issue in Turbofan JIT Compiler
project_zero·CVSS 8.8
CVE-2022-3723 [HIGH] Project Zero RCA: CVE-2022-3723: Logic Issue in Turbofan JIT Compiler
# CVE-2022-3723: Logic Issue in Turbofan JIT Compiler
*Samuel Groß, V8 Security*
## The Basics
**Disclosure or Patch Date:** 27 October 2022
**Product:** Google Chrome
**Advisory:** https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html
**Affected Versions:** 107.0.5304.62 and previous
**First Patched Version:** 107.0.5304.87
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1378239 (Embargoed)
**Patch CL:** https://chromium.googlesource.com/v8/v8/+/db83e72034c0d431ff2f73e3c4ae3130c0f3e4e1
**Bug-Introducing CL:** N/A
**Reporter(s):** Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast
## The Code
**Proof-of-concept:**
```javascript
// --expose-gc --allow-natives-syntax
function setInnerProperty(o) {
o.inner.foo = {};
}
Project0
Project Zero RCA: CVE-2022-4135: Chrome heap buffer overflow in validating command decoder
project_zero·CVSS 9.6
CVE-2022-4135 [CRITICAL] Project Zero RCA: CVE-2022-4135: Chrome heap buffer overflow in validating command decoder
# CVE-2022-4135: Chrome heap buffer overflow in validating command decoder
*Sergei Glazunov, Google Project Zero*
## The Basics
**Disclosure or Patch Date:** 24 November 2022
**Product:** Google Chrome
**Advisory:** https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html
**Affected Versions:** pre 107.0.5304.121
**First Patched Version:** 107.0.5304.121
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1392715
**Patch CL:** https://chromium.googlesource.com/chromium/src/+/2bd6ab1a16090fd20d422c11d794edf5c0ff6b89
**Bug-Introducing CL:** N/A
**Reporter(s):** Clement Lecigne of Google's Threat Analysis Group
## The Code
**Proof-of-concept:**
*repro.diff*
```
diff --git a/third_party/blink/renderer/modules/webgl/webgl_rende
CISA
Google Chromium V8 Type Confusion Vulnerability
cisa·2022-10-28·CVSS 8.8
CVE-2022-3723 [HIGH] CWE-122 Google Chromium V8 Type Confusion Vulnerability
Vulnerability: Google Chromium V8 Type Confusion Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html; https://nvd.nist.gov/vuln/detail/CVE-2022-3723
Remediation Due Date: 2022-11-18
Chrome
Stable Channel Update for Desktop: CVE-2022-3723
vendor_chrome·2022-10-27·CVSS 8.8
CVE-2022-3723 [HIGH] Stable Channel Update for Desktop: CVE-2022-3723
Stable Channel Update for Desktop
CVE-2022-3723: Type Confusion in V8. Reported by Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast on 2022-10-25 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel
Severity: high
Microsoft
Chromium: CVE-2022-3723 Type Confusion in V8
vendor_msrc·2022-10-11·CVSS 8.8
CVE-2022-3723 [HIGH] Chromium: CVE-2022-3723 Type Confusion in V8
Chromium: CVE-2022-3723 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of th
Debian
CVE-2022-3723: chromium - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote at...
vendor_debian·2022·CVSS 8.8
CVE-2022-3723 [HIGH] CVE-2022-3723: chromium - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote at...
Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 107.0.5304.87-1)
bullseye: resolved (fixed in 107.0.5304.87-1~deb11u1)
forky: resolved (fixed in 107.0.5304.87-1)
sid: resolved (fixed in 107.0.5304.87-1)
trixie: resolved (fixed in 107.0.5304.87-1)
No detection rules found.
No public exploits indexed.
Sentinelone
Navigating the Cybersecurity Twitterverse | 23 Influential Accounts to Follow in 2023
blogs_sentinelone·2023-05-29
Navigating the Cybersecurity Twitterverse | 23 Influential Accounts to Follow in 2023
Since our last post showcasing prominent cybersecurity accounts worth your follow, Twitter has occupied much of the limelight with stories about the tumultuous “takeover” including lawsuits, layoffs, and circulating concerns about free speech. Following Elon Musk’s acquisition in October 2022, many Twitter users flew the coop and migrated to the more decentralized social media platform Mastodon.
Though the open-source and crowdfunded Mastodon saw a huge surge in new accounts last winter, many new Mastodon users struggled to rebuild their complex social networks and have since returned to the blue bird app. For the cybersecurity community, Twitter remains the primary social media channel for all things cyber.
In the spirit of expanding our knowledge and resources, here are 23 hand-selecte
Sentinelone
Navigating the Cybersecurity Twitterverse | 23 Influential Accounts to Follow in 2023
blogs_sentinelone·2023-05-29
Navigating the Cybersecurity Twitterverse | 23 Influential Accounts to Follow in 2023
Since our last post showcasing prominent cybersecurity accounts worth your follow, Twitter has occupied much of the limelight with stories about the tumultuous “takeover” including lawsuits, layoffs, and circulating concerns about free speech. Following Elon Musk’s acquisition in October 2022, many Twitter users flew the coop and migrated to the more decentralized social media platform Mastodon .
Though the open-source and crowdfunded Mastodon saw a huge surge in new accounts last winter, many new Mastodon users struggled to rebuild their complex social networks and have since returned to the blue bird app. For the cybersecurity community, Twitter remains the primary social media channel for all things cyber.
In the spirit of expanding our knowledge and resources, here are 23 hand-select
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
blogs_qualys·2022-12-03·CVSS 8.8
CVE-2022-4262 [HIGH] The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
## Table of Contents
Organizations respond, but slowly
Qualys Patch Management speeds remediation
Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug ( CVE-2022-4262 ; QID 377804 ) is a Type Confusion vulnerability in Chrome’s V8 JavaScript Engine.
Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.
Google’s previous zero-days were also released right before a weekend (see Don’t spend another weekend patching Chrome and Don’t Spend Your Holiday Season Patching
Qualys
November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years).
blogs_qualys·2022-11-08·CVSS 7.5
[HIGH] November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years).
## Table of Contents
Microsoft Patch Tuesday Summary
The November 2022 Microsoft Vulnerabilities are Classified as Follows:
OpenSSL 3.x Critical Vulnerability Highlights
OpenSSL 3.x Related Blogs and Resources
Microsoft Addressed Six Zero-Day Vulnerabilities
Microsoft Patch Tuesday Critical Vulnerability Highlights
Microsoft Release Summary
Adobe Security Bulletins and Advisories
About Qualys Patch Tuesday
Qualys Threat Research Blog Posts
Qualys Threat Protection High-Rated Advisories
Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
Rapid Response with Patch Management (PM)
Extend the Power of VMDR to Enterprise Mobile Devices With Qualys VMDR Mobile
Execute Mitigation UsingCustom Assessment and Remediation(CAR)
Patch Tuesday Is
Qualys
November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years). | Qualys
blogs_qualys·2022-11-08·CVSS 7.5
[HIGH] November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years). | Qualys
#### Table of Contents
- Microsoft Patch Tuesday Summary
- The November 2022 Microsoft Vulnerabilities are Classified as Follows:
- OpenSSL 3.x Critical Vulnerability Highlights
- OpenSSL 3.x Related Blogs and Resources
- Microsoft Addressed Six Zero-Day Vulnerabilities
- Microsoft Patch Tuesday Critical Vulnerability Highlights
- Microsoft Release Summary
- Adobe Security Bulletins and Advisories
- About Qualys Patch Tuesday
- Qualys Threat Research Blog Posts
- Qualys Threat Protection High-Rated Advisories
- Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
- Rapid Response with Patch Management (PM)
- Extend the Power of VMDR to Enterprise Mobile Devices With Qualys VMDR Mobile
- Execute Mitigation UsingCustom Assessment and Remediation(CAR)
Checkpoint
31st October – Threat Intelligence Report
blogs_checkpoint·2022-10-31
CVE-2022-3723 31st October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
US-based communications company Twilio has disclosed a new data breach that occurred on June 2022 allegedly by the same threat actors behind the August hack. The hackers have used voice phishing to trick a Twilio employee into handling over their credentials, which the hackers then used to access customer information.
Cu
Qualys
Don’t spend another weekend patching Chrome | Qualys
blogs_qualys·2022-10-28·CVSS 8.8
CVE-2022-3723 [HIGH] Don’t spend another weekend patching Chrome | Qualys
#### Table of Contents
- Zero Day and Third-Party Applications
- Respond Faster with Zero Touch
- Using Qualys and Zero-Touch Patching to Reduce Risk
- Contributors
As we head into the weekend, Google has released an emergency security update for the Chrome desktop web browser to address a high-severity vulnerability known to be exploited in the wild. This is the seventh Chrome zero-day fixed this year by Google. This security bug (CVE-2022-3723; QID 377721) is a type-confusion flaw in the Chrome V8 JavaScript engine.
Google has not shared details on the nature of attacks in which this vulnerability is exploited but mentioned they are aware of reports that an exploit for this vulnerability exists in the wild.
The vulnerability is a “type confusion” that affects the V8 component of Chro
Qualys
Don’t spend another weekend patching Chrome
blogs_qualys·2022-10-28·CVSS 8.8
CVE-2022-3723 [HIGH] Don’t spend another weekend patching Chrome
## Table of Contents
Zero Day and Third-Party Applications
Respond Faster with Zero Touch
Using Qualys and Zero-Touch Patching to Reduce Risk
Contributors
As we head into the weekend, Google has released an emergency security update for the Chrome desktop web browser to address a high-severity vulnerability known to be exploited in the wild. This is the seventh Chrome zero-day fixed this year by Google. This security bug ( CVE-2022-3723 ; QID 377721 ) is a type-confusion flaw in the Chrome V8 JavaScript engine.
Google has not shared details on the nature of attacks in which this vulnerability is exploited but mentioned they are aware of reports that an exploit for this vulnerability exists in the wild.
The vulnerability is a “type confusion” that affects the V8 component of Chrome.
Bugzilla
Opening intents without asking puts Firefox users at risk of any known exploit in any intent-addressable app that hasn't been patched
bugzilla·2023-01-17
Opening intents without asking puts Firefox users at risk of any known exploit in any intent-addressable app that hasn't been patched
Opening intents without asking puts Firefox users at risk of any known exploit in any intent-addressable app that hasn't been patched
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Steps to reproduce:
1. Visit [exploit](https://kirtikumarar.com/1.html)
2. Click on the hyperlink
Actual results:
The browser will redirect to the target app without notifying the User and use the available Chromium exploit to trigger RCE there.
Expected results:
It should check and ask if the user wants to be redirected to Samsung Internet
Discussion:
The bug was marked "in-the-wild" here: https://bugs.chromium.org/p/chromium/issues/detail?id=1345630
A similar bug was exploited in the wild in the Firefox browser https://bug
https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.htmlhttps://crbug.com/1378239https://security.gentoo.org/glsa/202305-10https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.htmlhttps://crbug.com/1378239https://security.gentoo.org/glsa/202305-10https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-3723
2022-11-01
Published
2022-10-28
Added to CISA KEV
Exploited in the wild