CVE-2023-36034 – This vulnerability in Microsoft Edge (Chromium-... (How to Fix)

Q: What is the severity of CVE-2023-36034?

CVE-2023-36034 has a CVSS score of 7.3 (HIGH). This vulnerability in Microsoft Edge (Chromium-based) allows attackers to execute arbitrary code on a user's system by tricking them into visiting a malicious website. It affects all users running vulnerable versions of Microsoft Edge. The vulnerability involves use-after-free memory corruption that can be exploited for remote code execution.

📋 TL;DR

This vulnerability in Microsoft Edge (Chromium-based) allows attackers to execute arbitrary code on a user's system by tricking them into visiting a malicious website. It affects all users running vulnerable versions of Microsoft Edge. The vulnerability involves use-after-free memory corruption that can be exploited for remote code execution.

💻 Affected Systems

Products:

Microsoft Edge (Chromium-based)

Versions: Versions prior to 119.0.2151.44

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Edge versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Edge Chromium by Microsoft

View all CVEs affecting Edge Chromium →

Edge Chromium by Microsoft

View all CVEs affecting Edge Chromium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the victim's computer, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malicious code execution in the browser context leading to credential theft, session hijacking, or installation of malware through drive-by download attacks.

🟢

If Mitigated

No impact if Edge is fully patched or if security controls like application whitelisting and network filtering prevent exploitation.

🌐 Internet-Facing: HIGH - Attackers can host malicious websites accessible from the internet to exploit this vulnerability.

🏢 Internal Only: MEDIUM - Internal users could be targeted through phishing emails or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website) but no authentication. Memory corruption vulnerabilities typically require some exploit development skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Microsoft Edge version 119.0.2151.44 and later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36034

Restart Required: Yes

Instructions:

1. Open Microsoft Edge. 2. Click Settings (three dots) > Help and feedback > About Microsoft Edge. 3. Browser will automatically check for updates and install if available. 4. Restart Edge when prompted.

🔧 Temporary Workarounds

Disable JavaScript (temporary)

all

Temporarily disable JavaScript to prevent exploitation while awaiting patch deployment.

edge://settings/content/javascript

Use Application Control

windows

Implement application whitelisting to prevent unauthorized code execution.

🧯 If You Can't Patch

Restrict internet browsing to essential websites only using web filtering solutions.
Implement network segmentation to isolate vulnerable systems from critical assets.

🔍 How to Verify

Check if Vulnerable:

Check Edge version by navigating to edge://settings/help. If version is below 119.0.2151.44, system is vulnerable.

Check Version:

edge://settings/help or 'msedge --version' in command line

Verify Fix Applied:

Verify Edge version is 119.0.2151.44 or higher after update and restart.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Edge browser
Memory access violations in system logs
Suspicious network connections from Edge

Network Indicators:

Connections to known malicious domains from Edge
Unusual outbound traffic patterns

SIEM Query:

Process Creation where ParentImage contains 'msedge.exe' AND CommandLine contains unusual parameters

📊 Metadata

CVE ID: CVE-2023-36034

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-416

Published: November 3, 2023

Last Updated: January 1, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36034 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36034 Patch,Vendor Advisory
https://security.gentoo.org/glsa/202402-05

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36034, you might also want to check these: