CVE-2023-4074 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2023-4074?

CVE-2023-4074 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Chrome's Blink rendering engine task scheduler that could allow remote attackers to execute arbitrary code or crash the browser. It affects all users running vulnerable versions of Google Chrome before 115.0.5790.170. Attackers can exploit this by tricking users into visiting a malicious webpage.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's Blink rendering engine task scheduler that could allow remote attackers to execute arbitrary code or crash the browser. It affects all users running vulnerable versions of Google Chrome before 115.0.5790.170. Attackers can exploit this by tricking users into visiting a malicious webpage.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 115.0.5790.170

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome configurations are vulnerable. Other Chromium-based browsers may also be affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or installation of persistent malware.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within browser sandbox.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious page) but no authentication. Chrome's sandbox makes reliable exploitation challenging.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 115.0.5790.170 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the patched version.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, which breaks most web functionality.

Use Chrome Enterprise policies

all

Configure Chrome via Group Policy or MDM to restrict untrusted websites.

🧯 If You Can't Patch

Deploy web filtering to block known malicious sites and suspicious JavaScript.
Use application allowlisting to prevent unauthorized Chrome execution.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 115.0.5790.170, system is vulnerable.

Check Version:

google-chrome --version (Linux) or chrome://version in browser address bar

Verify Fix Applied:

Confirm Chrome version is 115.0.5790.170 or higher.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption errors
Unexpected Chrome process termination

Network Indicators:

HTTP requests to known exploit domains
Suspicious JavaScript loading patterns

SIEM Query:

source="chrome" AND (event="crash" OR event="memory_corruption")

📊 Metadata

CVE ID: CVE-2023-4074

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: August 3, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4074, you might also want to check these: