CVE-2022-3723

What is Google Chrome V8?

V8 is Google's open-source JavaScript and WebAssembly engine powering Chrome and all Chromium-based browsers. V8's multi-tier JIT (just-in-time) compilation system — Ignition interpreter, Maglev mid-tier JIT, and TurboFan optimizing JIT — tracks JavaScript object types to generate optimized native machine code. Type confusion vulnerabilities in V8 arise when TurboFan's type inference incorrectly classifies a JavaScript value's type, causing the compiled code to perform operations that assume a different type than the runtime value — producing out-of-bounds heap accesses exploitable for code execution inside the renderer process. V8 zero-days are among the most valuable browser vulnerabilities, with a sustained market of exploit buyers and a consistent cadence of zero-day discoveries throughout 2022.

Overview

CVE-2022-3723 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google patched it on October 27, 2022 as Chrome 107.0.5304.87, an out-of-band emergency release for an actively exploited zero-day. CISA added it to the KEV catalog 1 day after Google's patch — 4 days before NVD's formal publication on November 1. CVE-2022-3723 was one of several Chrome V8 zero-days discovered in 2022, reflecting a sustained pattern of in-the-wild browser engine exploitation.

Affected Versions

Technical Details

Type confusion (CWE-843) in V8's JIT compiler arises when TurboFan's speculative type inference assigns an incorrect type to a JavaScript value and the optimized code acts on that incorrect assumption. The standard V8 type confusion exploitation pattern:

1. Train V8's type inference — execute JavaScript code that causes V8 to speculatively optimize a hot function under the assumption that a value has a specific type (e.g., a Smi integer)
2. Violate the type assumption — trigger a code path that produces a different type at the same program point (e.g., a heap object pointer instead of an integer), invalidating TurboFan's type annotation
3. Out-of-bounds heap access — the optimized code performs arithmetic or memory access using the assumed type's layout on a value of a different type, reading or writing beyond object boundaries
4. Heap corruption — adjacent V8 heap objects (ArrayBuffer backing stores, Map pointers, JSFunction code fields) are corrupted, enabling attacker control over V8's internal state
5. Code execution — with control over V8 heap internals, redirect JavaScript execution to arbitrary native code in the Chrome renderer process; combine with a sandbox escape for full OS compromise

CVE-2022-3723 was followed by CVE-2022-4135 (November 2022) and CVE-2022-4262 (December 2022) — back-to-back V8 zero-days in the final quarter of 2022.

Discovery

CVE-2022-3723 was discovered by Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast Threat Intelligence. Avast's threat intelligence team identified the vulnerability through analysis of exploit activity targeting Avast-protected users and reported it to Google. The 1-day CISA KEV add (October 28) and 4-day pre-NVD publication timing reflect CISA's rapid KEV processing for confirmed in-the-wild browser zero-days.

Exploitation Context

V8 type confusion zero-days in late 2022 were components of exploit chains used by commercial surveillance vendors and state-sponsored actors. Avast's attribution to specific threat activity suggests the exploit was not merely proof-of-concept but observed in active attacks against real targets. Browser renderer code execution from V8 type confusion, combined with a sandbox escape, enables full device compromise without requiring any installed malware or additional user interaction beyond visiting the attacker-controlled page.

All Chromium-based browsers (Chrome, Edge, Opera, Brave, Samsung Internet, Vivaldi) share V8 and are affected by V8 vulnerabilities. Enterprise environments with heterogeneous Chromium-based browser deployments require coordinated updates across all browser products.

Remediation

1. Update Chrome to 107.0.5304.87 or later — apply via Settings → Help → About Google Chrome; Chrome's auto-update typically applies patches within hours of release.
2. Update all Chromium-based browsers — Microsoft Edge, Opera, and other Chromium-based browsers share V8; apply their October/November 2022 releases.
3. Enable Chrome automatic updates — configure Chrome and Edge to update automatically to minimize the zero-day exposure window.
4. Monitor browser versions via endpoint management — use MDM, GPO, or endpoint management tools to enforce minimum browser versions and detect outdated installations at scale.