cbcvebase.
CVE-2023-3079
published 2023-06-05

CVE-2023-3079: Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…

PriorityP187high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-06-28
Exploited in the wild
EPSS
32.72%
98.1th percentile
Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected

15 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 114.0.5735.106-1~deb11u1114.0.5735.106-1~deb11u1
chromiumchromium>= 0 < 114.0.5735.106-1~deb12u1114.0.5735.106-1~deb12u1
chromiumchromium>= 0 < 114.0.5735.106-1114.0.5735.106-1
chromiumchromium>= 0 < 114.0.5735.106-1114.0.5735.106-1
couchbasecouchbase_server< 7.1.57.1.5
couchbasecouchbase_server
debianchromium< chromium 114.0.5735.106-1~deb12u1 (bookworm)chromium 114.0.5735.106-1~deb12u1 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 114.0.5735.110114.0.5735.110
googlechrome>= 114.0.5735.110 < 114.0.5735.110114.0.5735.110
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2023-3079 is a type confusion vulnerability in the V8 JavaScript engine; exploit delivery requires a crafted HTML page — monitor for suspicious or anomalous HTML/JS content served to Chrome/Edge users, especially from untrusted sources.
  • Exploitation vector is purely network-based (no authentication required); delivery is via malicious URL — monitor proxy/web gateway logs for users navigating to suspicious pages that could trigger V8 type confusion.
  • Google confirmed an exploit exists in the wild; prioritize detection of Chrome/Edge processes spawning unexpected child processes or making anomalous network connections, which may indicate post-exploitation activity following heap corruption.
  • ·Only limited technical details were publicly available at time of initial disclosure; full exploit mechanics were not published, limiting signature-based detection specificity.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.