CVE-2023-2724
published 2023-05-16CVE-2023-2724: Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…
PriorityP263high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
29.14%
97.9th percentile
Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 113.0.5672.126-1~deb11u1 | 113.0.5672.126-1~deb11u1 |
| chromium | chromium | >= 0 < 113.0.5672.126-1 | 113.0.5672.126-1 |
| chromium | chromium | >= 0 < 113.0.5672.126-1 | 113.0.5672.126-1 |
| chromium | chromium | >= 0 < 113.0.5672.126-1 | 113.0.5672.126-1 |
| debian | chromium | < chromium 113.0.5672.126-1 (bookworm) | chromium 113.0.5672.126-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 113.0.5672.126 | 113.0.5672.126 | |
| chrome | >= 113.0.5672.126 < 113.0.5672.126 | 113.0.5672.126 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
| msrc | microsoft_edge_extended_stable | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via a crafted HTML page delivered remotely, targeting the V8 JavaScript engine's type confusion weakness leading to heap corruption in Chrome versions prior to 113.0.5672.126 ↗
- ·Fixed in Google Chrome stable 113.0.5672.126; Microsoft Edge (Chromium-based) fixed in version 113.0.1774.50 (based on Chromium 113.0.5672.126/.127), released 2023-05-18. Debian packages fixed in 113.0.5672.126-1 across bookworm, bullseye, forky, sid, and trixie. ↗
- ·ChromeOS Long Term Support channel also received a fix for CVE-2023-2724; organizations running ChromeOS LTS should verify patching separately. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-2724: Type confusion in V8 in Google Chrome prior to 113
osv·2023-05-16·CVSS 8.8
CVE-2023-2724 [HIGH] CVE-2023-2724: Type confusion in V8 in Google Chrome prior to 113
Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
GHSA
GHSA-j5rv-3m5p-q6rc: Type confusion in V8 in Google Chrome prior to 113
ghsa_unreviewed·2023-05-16
CVE-2023-2724 [HIGH] CWE-843 GHSA-j5rv-3m5p-q6rc: Type confusion in V8 in Google Chrome prior to 113
Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2023-2724
vendor_chrome·2023-06-14·CVSS 8.8
CVE-2023-2724 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2023-2724
Long Term Support Channel Update for ChromeOS
CVE-2023-2724
Microsoft
Chromium: CVE-2023-2724 Type Confusion in V8
vendor_msrc·2023-05-09·CVSS 8.8
CVE-2023-2724 [HIGH] Chromium: CVE-2023-2724 Type Confusion in V8
Chromium: CVE-2023-2724 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
Click on Help and Feedback
Click on About Microsoft Edge
FAQ: What is
Debian
CVE-2023-2724: chromium - Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote a...
vendor_debian·2023·CVSS 8.8
CVE-2023-2724 [HIGH] CVE-2023-2724: chromium - Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote a...
Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 113.0.5672.126-1)
bullseye: resolved (fixed in 113.0.5672.126-1~deb11u1)
forky: resolved (fixed in 113.0.5672.126-1)
sid: resolved (fixed in 113.0.5672.126-1)
trixie: resolved (fixed in 113.0.5672.126-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/173131/Chrome-Internal-JavaScript-Object-Access-Via-Origin-Trials.htmlhttps://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_16.htmlhttps://crbug.com/1433211https://lists.fedoraproject.org/archives/list/[email protected]/message/73XUIHJ6UT75VFPDPLJOXJON7MVIKVZI/https://lists.fedoraproject.org/archives/list/[email protected]/message/FXFL4TDAH72PRCPD5UPZMJMKIMVOPLTI/https://security.gentoo.org/glsa/202309-17https://security.gentoo.org/glsa/202311-11https://www.debian.org/security/2023/dsa-5404http://packetstormsecurity.com/files/173131/Chrome-Internal-JavaScript-Object-Access-Via-Origin-Trials.htmlhttps://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_16.htmlhttps://crbug.com/1433211https://lists.fedoraproject.org/archives/list/[email protected]/message/73XUIHJ6UT75VFPDPLJOXJON7MVIKVZI/https://lists.fedoraproject.org/archives/list/[email protected]/message/FXFL4TDAH72PRCPD5UPZMJMKIMVOPLTI/https://security.gentoo.org/glsa/202309-17https://security.gentoo.org/glsa/202311-11https://www.debian.org/security/2023/dsa-5404
2023-05-16
Published