CVE-2023-3214 – This critical vulnerability in Google Chrome's ... (How to Fix)

Q: What is the severity of CVE-2023-3214?

CVE-2023-3214 has a CVSS score of 8.8 (HIGH). This critical vulnerability in Google Chrome's Autofill payments feature allows remote attackers to execute arbitrary code via heap corruption. Attackers can exploit this by tricking users into visiting a malicious webpage. All Chrome users on versions prior to 114.0.5735.133 are affected.

📋 TL;DR

This critical vulnerability in Google Chrome's Autofill payments feature allows remote attackers to execute arbitrary code via heap corruption. Attackers can exploit this by tricking users into visiting a malicious webpage. All Chrome users on versions prior to 114.0.5735.133 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 114.0.5735.133

Operating Systems: Windows, Linux, macOS, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in Chrome's Autofill payments feature, which is enabled by default. All platforms running vulnerable Chrome versions are affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Browser crash, memory corruption, or limited code execution within Chrome's sandbox.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Exploitable via visiting malicious websites, making internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious page) but no authentication. Use-after-free vulnerabilities typically require careful memory manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 114.0.5735.133 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_13.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable Autofill payments

all

Temporarily disable Chrome's Autofill payments feature to mitigate the vulnerability

Use browser extensions to block malicious content

all

Install content blockers or script blockers to prevent malicious page execution

🧯 If You Can't Patch

Restrict web browsing to trusted sites only using browser policies
Implement network filtering to block known malicious domains and suspicious JavaScript

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 114.0.5735.133, system is vulnerable.

Check Version:

chrome://version/ or 'google-chrome --version' on Linux

Verify Fix Applied:

Confirm Chrome version is 114.0.5735.133 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption errors
Unexpected Chrome process termination

Network Indicators:

Requests to suspicious domains with payment-related parameters
Unusual JavaScript execution patterns

SIEM Query:

source="chrome" AND (event_type="crash" OR memory_corruption="true")

📊 Metadata

CVE ID: CVE-2023-3214

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 13, 2023

Last Updated: May 5, 2025

🔗 References

https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_13.html Release Notes,Vendor Advisory
https://crbug.com/1450568 Issue Tracking,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEH75UOM7FAXDUPC37YHP7ONL2HSDIJR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O362DC3ZCFRXVHOXMPIL73YOWABQEUYD/ Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202311-11
https://security.gentoo.org/glsa/202401-34
https://www.debian.org/security/2023/dsa-5428 Third Party Advisory
https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_13.html Release Notes,Vendor Advisory
https://crbug.com/1450568 Issue Tracking,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEH75UOM7FAXDUPC37YHP7ONL2HSDIJR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O362DC3ZCFRXVHOXMPIL73YOWABQEUYD/ Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202311-11
https://security.gentoo.org/glsa/202401-34
https://www.debian.org/security/2023/dsa-5428 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3214, you might also want to check these: