CVE-2023-3598 – This vulnerability allows a remote attacker to ... (How to Fix)

Q: What is the severity of CVE-2023-3598?

CVE-2023-3598 has a CVSS score of 8.8 (HIGH). This vulnerability allows a remote attacker to exploit heap corruption through out-of-bounds read/write in ANGLE (Almost Native Graphics Layer Engine) in Google Chrome. Attackers can craft malicious HTML pages to potentially execute arbitrary code or crash the browser. All users running vulnerable versions of Chrome are affected.

📋 TL;DR

This vulnerability allows a remote attacker to exploit heap corruption through out-of-bounds read/write in ANGLE (Almost Native Graphics Layer Engine) in Google Chrome. Attackers can craft malicious HTML pages to potentially execute arbitrary code or crash the browser. All users running vulnerable versions of Chrome are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: Prior to 114.0.5735.90

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: ANGLE is used for WebGL rendering, so any Chrome instance with WebGL enabled is vulnerable.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or installation of persistent malware.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Exploitable via crafted web pages, making all internet-facing Chrome instances vulnerable.

🏢 Internal Only: HIGH - Internal users visiting malicious sites or opening crafted documents could be exploited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires user to visit malicious website or open crafted HTML content. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 114.0.5735.90 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_30.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable WebGL

all

Disables ANGLE functionality by turning off WebGL rendering

chrome://flags/#disable-webgl → Disable
chrome://flags/#disable-accelerated-2d-canvas → Disable

Use Chrome Enterprise policies

windows

Block WebGL via Group Policy or administrative templates

Set 'BlockWebGL' policy to enabled

🧯 If You Can't Patch

Use browser isolation technology to render web content in isolated containers
Implement strict web filtering to block untrusted sites and HTML content

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if below 114.0.5735.90, system is vulnerable.

Check Version:

chrome://version/ (look for 'Google Chrome' version number)

Verify Fix Applied:

Confirm Chrome version is 114.0.5735.90 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with ANGLE-related stack traces
Unexpected Chrome process termination events

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual WebGL-related network traffic patterns

SIEM Query:

source="chrome" AND (event_type="crash" OR process_name="chrome.exe") AND message="*ANGLE*" OR "*WebGL*"

📊 Metadata

CVE ID: CVE-2023-3598

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: July 28, 2023

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_30.html Release Notes,Vendor Advisory
https://crbug.com/1427865 Exploit,Issue Tracking,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2LE64KGGOISKPKMYROSDT4K6QFVDIRF6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B6SAST6CB5KKCQKH75ER2UQ3ICYPHCIZ/
https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_30.html Release Notes,Vendor Advisory
https://crbug.com/1427865 Exploit,Issue Tracking,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2LE64KGGOISKPKMYROSDT4K6QFVDIRF6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B6SAST6CB5KKCQKH75ER2UQ3ICYPHCIZ/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3598, you might also want to check these: