Login Sign Up

CVE-2023-4431

8.1 HIGH

📋 TL;DR

This vulnerability allows a remote attacker to read memory outside the intended bounds in Google Chrome's font processing component. Attackers can exploit this by tricking users into visiting a malicious HTML page. All users running vulnerable versions of Chrome are affected.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: All versions prior to 116.0.5845.110
Operating Systems: Windows, Linux, macOS, ChromeOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Chromium-based browsers like Microsoft Edge may also be affected if using vulnerable Chromium versions.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to potential data leakage, memory corruption that could enable arbitrary code execution, or browser crash.

🟠

Likely Case

Information disclosure through out-of-bounds memory reads, potentially exposing sensitive data from browser memory.

🟢

If Mitigated

Limited impact with proper browser sandboxing and memory protection features enabled.

🌐 Internet-Facing: HIGH - Exploitation requires only visiting a malicious webpage, making internet-facing systems highly vulnerable.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious HTML pages and convincing users to visit them. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 116.0.5845.110 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/08/chrome-desktop-stable-update.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and apply updates. 4. Click 'Relaunch' to restart Chrome with the updated version.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious scripts that could trigger the vulnerability

Use Browser Extensions for Script Blocking

all

Install extensions like NoScript or uBlock Origin to block potentially malicious scripts

🧯 If You Can't Patch

  • Implement network filtering to block access to suspicious websites
  • Use application whitelisting to restrict browser usage to trusted sites only

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: Open Chrome → Click three-dot menu → Help → About Google Chrome. If version is below 116.0.5845.110, you are vulnerable.

Check Version:

On Linux: google-chrome --version | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Verify Chrome version is 116.0.5845.110 or higher using the same method.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports with memory access violation errors
  • Unexpected browser process terminations

Network Indicators:

  • HTTP requests to suspicious domains with crafted HTML content
  • Unusual outbound connections from browser processes

SIEM Query:

source="chrome_logs" AND (event_type="crash" OR error="access_violation") AND version<"116.0.5845.110"

📊 Metadata

CVE ID: CVE-2023-4431
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: August 23, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4431, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)