CVE-2023-4069
published 2023-08-03CVE-2023-4069: Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…
PriorityP262high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
24.12%
97.6th percentile
Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 115.0.5790.170-1~deb11u1 | 115.0.5790.170-1~deb11u1 |
| chromium | chromium | >= 0 < 115.0.5790.170-1~deb12u1 | 115.0.5790.170-1~deb12u1 |
| chromium | chromium | >= 0 < 115.0.5790.170-1 | 115.0.5790.170-1 |
| chromium | chromium | >= 0 < 115.0.5790.170-1 | 115.0.5790.170-1 |
| debian | chromium | < chromium 115.0.5790.170-1~deb12u1 (bookworm) | chromium 115.0.5790.170-1~deb12u1 (bookworm) |
| chrome | < 115.0.5790.170 | 115.0.5790.170 | |
| chrome | >= 115.0.5790.170 < 115.0.5790.170 | 115.0.5790.170 | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via a crafted HTML page delivered remotely; monitor for suspicious Chrome/Edge renderer process crashes or unexpected V8 heap corruption signals in browser telemetry. ↗
- →Flag Google Chrome versions prior to 115.0.5790.170 and Microsoft Edge (Chromium-based) versions prior to 115.0.1901.200 as unpatched and at risk. ↗
- ·The vulnerability resides in the V8 JavaScript engine (Type Confusion); exploitation requires the attacker to deliver a crafted HTML page to the victim — no server-side component or special configuration is needed beyond a vulnerable browser version. ↗
- ·Both Google Chrome and Microsoft Edge (Chromium-based) are affected because Edge ingests Chromium; patching must be applied to both browser families independently. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g63v-hwv9-j9q5: Type Confusion in V8 in Google Chrome prior to 115
ghsa_unreviewed·2023-08-03
CVE-2023-4069 [HIGH] CWE-843 GHSA-g63v-hwv9-j9q5: Type Confusion in V8 in Google Chrome prior to 115
Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2023-4069: Type Confusion in V8 in Google Chrome prior to 115
osv·2023-08-03·CVSS 8.8
CVE-2023-4069 [HIGH] CVE-2023-4069: Type Confusion in V8 in Google Chrome prior to 115
Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Microsoft
Chromium: CVE-2023-4069 Type Confusion in V8
vendor_msrc·2023-08-08·CVSS 8.8
CVE-2023-4069 [HIGH] Chromium: CVE-2023-4069 Type Confusion in V8
Chromium: CVE-2023-4069 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
Click on Help and Feedback
Click on About Microsoft Edge
FAQ: What is
Debian
CVE-2023-4069: chromium - Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote a...
vendor_debian·2023·CVSS 8.8
CVE-2023-4069 [HIGH] CVE-2023-4069: chromium - Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote a...
Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 115.0.5790.170-1~deb12u1)
bullseye: resolved (fixed in 115.0.5790.170-1~deb11u1)
forky: resolved (fixed in 115.0.5790.170-1)
sid: resolved (fixed in 115.0.5790.170-1)
trixie: resolved (fixed in 115.0.5790.170-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop.htmlhttps://crbug.com/1465326https://lists.fedoraproject.org/archives/list/[email protected]/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/https://security.gentoo.org/glsa/202311-11https://security.gentoo.org/glsa/202312-07https://security.gentoo.org/glsa/202401-34https://www.debian.org/security/2023/dsa-5467https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop.htmlhttps://crbug.com/1465326https://lists.fedoraproject.org/archives/list/[email protected]/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/https://security.gentoo.org/glsa/202311-11https://security.gentoo.org/glsa/202312-07https://security.gentoo.org/glsa/202401-34https://www.debian.org/security/2023/dsa-5467
2023-08-03
Published