⚠ Actively exploited
Added to CISA KEV on 2022-10-28. Federal agencies required to patch by 2022-11-18. Required action: Apply updates per vendor instructions..

CVE-2022-3723Type Confusion in Google Chrome

CWE-843Type ConfusionCWE-122Heap-based Buffer Overflow18 documents12 sources
Severity
8.8HIGHNVD
EPSS
0.5%
top 33.05%
CISA KEV
KEV
Added 2022-10-28
Due 2022-11-18
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Google ChromeChromiumDebian Chromium+2 more
Timeline
KEV addedOct 28
PublishedNov 1
KEV dueNov 18
Latest updateMay 29
CISA Required Action: Apply updates per vendor instructions.

Description

Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5google/chromeunspecified107.0.5304.87
NVDgoogle/chrome< 107.0.5304.87
debiandebian/chromium< chromium 107.0.5304.87-1 (bookworm)
Debianchromium/chromium< 107.0.5304.87-1~deb11u1+3

🔴Vulnerability Details

5
GHSA
GHSA-6jmv-jqhj-cg68: Type confusion in V8 in Google Chrome prior to 1072022-11-02
OSV
CVE-2022-3723: Type confusion in V8 in Google Chrome prior to 1072022-11-01
VulnCheck
Google Chromium V8 Type Confusion Vulnerability2022
Project0
Project Zero RCA: CVE-2022-3723: Logic Issue in Turbofan JIT Compiler
Project0
Project Zero RCA: CVE-2022-4135: Chrome heap buffer overflow in validating command decoder

📋Vendor Advisories

4
CISA
Google Chromium V8 Type Confusion Vulnerability2022-10-28
Chrome
Stable Channel Update for Desktop: CVE-2022-37232022-10-27
Microsoft
Chromium: CVE-2022-3723 Type Confusion in V82022-10-11
Debian
CVE-2022-3723: chromium - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote at...2022

🕵️Threat Intelligence

7
Sentinelone
Navigating the Cybersecurity Twitterverse | 23 Influential Accounts to Follow in 20232023-05-29
Sentinelone
Navigating the Cybersecurity Twitterverse | 23 Influential Accounts to Follow in 20232023-05-29
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend2022-12-03
Qualys
November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years).2022-11-08
Qualys
November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years). | Qualys2022-11-08

💬Community

1
Bugzilla
Opening intents without asking puts Firefox users at risk of any known exploit in any intent-addressable app that hasn't been patched2023-01-17