CVE-2023-3079

What is Chromium V8?

V8 is Google's open-source JavaScript and WebAssembly engine, embedded in Chrome, Edge, Node.js, Electron, and Deno. It compiles JavaScript to native machine code using a multi-tier JIT (just-in-time) compilation pipeline. Type confusion vulnerabilities in V8 arise when the engine's optimizer makes incorrect type assumptions about JavaScript objects, allowing attackers to corrupt memory by treating one object type as another. Because V8 executes the JavaScript on every web page a user visits, it is one of the highest-value attack surfaces in the browser.

Overview

CVE-2023-3079 is a type confusion vulnerability in V8 that allows a remote attacker to potentially exploit heap corruption by visiting a specially crafted web page. Google disclosed and patched it on June 5, 2023 in Chrome 114.0.5735.110 as an actively exploited zero-day — the first V8 zero-day of 2023. CISA added it to the KEV catalog two days later.

Affected Versions

Technical Details

Type confusion (CWE-843) in V8 allows an attacker to manipulate the JavaScript runtime into treating a heap object of one type as if it were a different type. V8's JIT compiler makes type specialization decisions based on observed object types at runtime. A crafted JavaScript sequence can exploit these optimized paths: by creating objects that appear to be one type during the type feedback collection phase but are actually different objects when the optimized code executes, the attacker causes V8 to access fields at offsets that are wrong for the actual object layout.

This out-of-bounds access enables reading or writing memory beyond the object's bounds. By carefully controlling heap layout before triggering the confusion, attackers can achieve:

• Reading adjacent heap objects to leak V8 addresses (defeating ASLR)
• Writing to adjacent heap objects to corrupt control-flow data
• Achieving arbitrary code execution within the Chrome renderer sandbox

Full device compromise then requires a separate sandbox escape (not part of this CVE).

Discovery

Clément Lecigne of Google's Threat Analysis Group (TAG) reported CVE-2023-3079. TAG's discovery of their own browser's zero-day indicates they observed the vulnerability being exploited in the wild against real targets — likely high-risk individuals targeted by commercial surveillance operators.

Exploitation Context

V8 type confusion zero-days are consistently exploited by commercial surveillance vendors (Pegasus, Predator, Candiru, and others) as browser-based initial access vectors. The first zero-day of the year in any major browser tends to be associated with actively maintained exploit kits — the exploit was almost certainly developed months before disclosure and used in targeted spyware delivery against journalists, opposition politicians, or other civil society targets before Google's TAG discovered it in use.

CISA added CVE-2023-3079 to KEV 48 hours after the Chrome patch, the minimum realistic timeline for the KEV process.

Remediation

1. Update Chrome to 114.0.5735.110 or later — apply via Chrome's automatic update mechanism or Settings → Help → About Google Chrome.
2. Update Edge, Brave, Opera, and other Chromium-based browsers — each embeds its own Chromium build and requires independent updates.
3. Enable automatic browser updates — V8 zero-days are discovered and patched rapidly; automatic updates minimize the window of exposure.
4. Deploy Chrome Enterprise policies to enforce minimum version requirements across managed devices — prevents users from deferring critical browser updates.
5. Use Chrome's site isolation to ensure renderer exploits cannot directly access cross-origin content or the browser process.