CVE-2023-4362
published 2023-08-15CVE-2023-4362: Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process and gained control…
PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
18.46%
96.9th percentile
Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process and gained control of a WebUI process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 116.0.5845.96-1~deb11u1 | 116.0.5845.96-1~deb11u1 |
| chromium | chromium | >= 0 < 116.0.5845.96-1~deb12u1 | 116.0.5845.96-1~deb12u1 |
| chromium | chromium | >= 0 < 116.0.5845.96-1 | 116.0.5845.96-1 |
| chromium | chromium | >= 0 < 116.0.5845.96-1 | 116.0.5845.96-1 |
| debian | chromium | < chromium 116.0.5845.96-1~deb12u1 (bookworm) | chromium 116.0.5845.96-1~deb12u1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| chrome | < 116.0.5845.96 | 116.0.5845.96 | |
| chrome | >= 116.0.5845.96 < 116.0.5845.96 | 116.0.5845.96 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in Google Chrome prior to version 116.0.5845.96; detect outdated Chrome installations below this version as potentially vulnerable to CVE-2023-4362 (Heap buffer overflow in Mojom IDL) ↗
- →Exploitation requires a compromised renderer process that has also gained control of a WebUI process — look for renderer process compromise chained with WebUI process access as a two-stage attack indicator ↗
- →Debian fixed packages are available; on Debian systems, flag chromium packages older than 116.0.5845.96-1~deb12u1 (bookworm), 116.0.5845.96-1~deb11u1 (bullseye), or 116.0.5845.96-1 (sid/trixie/forky) ↗
- ·Exploitation requires a multi-step compromise: attacker must first compromise the renderer process AND separately gain control of a WebUI process before the heap overflow in Mojom IDL can be triggered — standalone renderer compromise is insufficient ↗
- ·Chromium security severity is rated Medium; exploitation is constrained by the prerequisite of prior renderer and WebUI process compromise, limiting real-world exploitability ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2023-4362
vendor_chrome·2023-09-11·CVSS 8.8
CVE-2023-4362 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2023-4362
Long Term Support Channel Update for ChromeOS
CVE-2023-4362
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-4361
vendor_chrome·2023-08-25·CVSS 5.3
CVE-2023-4361 [MEDIUM] Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-4361
Stable Channel Update for ChromeOS / ChromeOS Flex
CVE-2023-4361: Inappropriate implementation in Autofill. Reported by Thomas Orlita on 2023-07-17 [$1000][ 1316379 ] Medium CVE-2023-4362: Heap buffer overflow in Mojom IDL
Reported by Zhao Hai of NanJing Cyberpeace TianYu Lab on 2022-04-14 [$1000][ 1367085 ] Medium CVE-2023-4363: Inappropriate implementation in WebShare
Severity: medium
Microsoft
Chromium: CVE-2023-4362 Heap buffer overflow in Mojom IDL
vendor_msrc·2023-08-08·CVSS 8.8
CVE-2023-4362 [HIGH] Chromium: CVE-2023-4362 Heap buffer overflow in Mojom IDL
Chromium: CVE-2023-4362 Heap buffer overflow in Mojom IDL
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
116.0.1938.54
8/21/2023
116.0.5845.96/.97
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the bro
Debian
CVE-2023-4362: chromium - Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowe...
vendor_debian·2023·CVSS 8.8
CVE-2023-4362 [HIGH] CVE-2023-4362: chromium - Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowe...
Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process and gained control of a WebUI process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Scope: local
bookworm: resolved (fixed in 116.0.5845.96-1~deb12u1)
bullseye: resolved (fixed in 116.0.5845.96-1~deb11u1)
forky: resolved (fixed in 116.0.5845.96-1)
sid: resolved (fixed in 116.0.5845.96-1)
trixie: resolved (fixed in 116.0.5845.96-1)
OSV
CVE-2023-4362: Heap buffer overflow in Mojom IDL in Google Chrome prior to 116
osv·2023-08-15·CVSS 8.8
CVE-2023-4362 [HIGH] CVE-2023-4362: Heap buffer overflow in Mojom IDL in Google Chrome prior to 116
Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process and gained control of a WebUI process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
GHSA
GHSA-ggf2-7g57-86j8: Heap buffer overflow in Mojom IDL in Google Chrome prior to 116
ghsa_unreviewed·2023-08-15
CVE-2023-4362 [HIGH] CWE-787 GHSA-ggf2-7g57-86j8: Heap buffer overflow in Mojom IDL in Google Chrome prior to 116
Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process and gained control of a WebUI process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop_15.htmlhttps://crbug.com/1316379https://lists.fedoraproject.org/archives/list/[email protected]/message/2DMXHPRUGBUDNHZCZCIVMWAUIEXEGMGT/https://lists.fedoraproject.org/archives/list/[email protected]/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/https://security.gentoo.org/glsa/202401-34https://www.debian.org/security/2023/dsa-5479https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop_15.htmlhttps://crbug.com/1316379https://lists.fedoraproject.org/archives/list/[email protected]/message/2DMXHPRUGBUDNHZCZCIVMWAUIEXEGMGT/https://lists.fedoraproject.org/archives/list/[email protected]/message/OCFEK63FUHFXZH5MSG6TNQOXMQWM4M5S/https://security.gentoo.org/glsa/202401-34https://www.debian.org/security/2023/dsa-5479
2023-08-15
Published