CVE-2023-4762

What is Chromium V8?

V8 is Google's open-source JavaScript and WebAssembly engine, embedded in Chrome, Edge, Node.js, and many other environments. It is responsible for parsing, compiling, and executing all JavaScript that runs on a web page. Because every web page executes JavaScript, V8 is one of the most frequently exercised and most security-critical components in a browser. Type confusion bugs in V8 — where the engine misidentifies the type of an object — are a well-established class of vulnerability that can lead to memory corruption and arbitrary code execution in the renderer process.

Overview

CVE-2023-4762 is a type confusion vulnerability in the V8 JavaScript engine that allows a remote attacker to execute arbitrary code when a user visits a specially crafted web page. Google patched it in Chrome 116.0.5845.179 on September 5, 2023. Although patched promptly, active exploitation in the wild was later confirmed, leading to CISA adding it to the KEV catalog in February 2024 — approximately five months after the patch was released.

Affected Versions

Technical Details

Type confusion (CWE-843) occurs when V8 operates on a JavaScript object using incorrect type assumptions. V8's JIT (just-in-time) compiler makes optimization assumptions about object types based on type feedback gathered at runtime. An attacker can construct a JavaScript sequence that misleads V8's type inference system into treating an object of one type as another, then exploit the mismatch to read or write memory at attacker-controlled offsets. This out-of-bounds access can be used to corrupt the renderer process heap and achieve arbitrary code execution.

The attack vector is purely via JavaScript in a web page — visiting a malicious site or loading a malicious ad is sufficient. In a browser context, the renderer sandbox limits the immediate impact; full device compromise requires chaining with a sandbox escape.

The five-month gap between patch release (September 2023) and KEV addition (February 2024) is notable: it suggests exploitation began either shortly after patch release (attackers reverse-engineer patches to develop exploits) or was ongoing from before the patch in a limited way that was only confirmed later.

Discovery

Reported by an external researcher. The subsequent KEV addition in February 2024 confirms active exploitation was confirmed by CISA's threat intelligence.

Exploitation Context

V8 type confusion vulnerabilities are among the most commonly exploited browser bugs. They are reliable, relatively easy to weaponize once identified, and affect all users on unpatched Chrome versions. Historically, such bugs have been used by commercial spyware operators, APT groups, and financially motivated attackers to deliver initial access payloads. The delayed KEV addition (February 2024) for a September 2023 patch suggests exploitation was either identified retrospectively or began as patch-derived exploits after the September release.

Remediation

1. Update Chrome to 116.0.5845.179 or later — apply via automatic update or Settings → Help → About Google Chrome.
2. Update Microsoft Edge, Brave, Opera, Vivaldi and other Chromium-based browsers, which each ship their own Chromium builds and require separate updates.
3. Enable automatic browser updates — V8 vulnerabilities are discovered and exploited rapidly; staying on the current Chrome release is the most effective ongoing defense.
4. Use Chrome's site isolation feature (chrome://flags/#site-per-process) — it ensures each site runs in a separate renderer process, limiting the damage from a compromised renderer.
5. Consider browser-based isolation for high-risk browsing — RBI (remote browser isolation) solutions render pages in a cloud container rather than locally, preventing local code execution entirely.