CVE-2023-6702 – This vulnerability is a type confusion flaw in ... (How to Fix)

Q: What is the severity of CVE-2023-6702?

CVE-2023-6702 has a CVSS score of 8.8 (HIGH). This vulnerability is a type confusion flaw in Chrome's V8 JavaScript engine that could allow an attacker to trigger heap corruption by tricking the browser into misinterpreting object types. Attackers could exploit this via malicious web pages to potentially execute arbitrary code or crash the browser. All users of affected Chrome versions are at risk when visiting compromised or malicious websites.

📋 TL;DR

This vulnerability is a type confusion flaw in Chrome's V8 JavaScript engine that could allow an attacker to trigger heap corruption by tricking the browser into misinterpreting object types. Attackers could exploit this via malicious web pages to potentially execute arbitrary code or crash the browser. All users of affected Chrome versions are at risk when visiting compromised or malicious websites.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers
Microsoft Edge
Opera
Brave
Vivaldi

Versions: All versions prior to 120.0.6099.109

Operating Systems: Windows, macOS, Linux, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. Chromium-based browsers using affected V8 versions are also impacted.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Edge Chromium by Microsoft

View all CVEs affecting Edge Chromium →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment via drive-by download attacks.

🟠

Likely Case

Browser crashes, denial of service, or limited sandbox escape leading to information disclosure.

🟢

If Mitigated

Browser crash with no further impact if sandbox holds, or successful blocking by web filtering/security tools.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious page) but no authentication. Type confusion vulnerabilities in V8 have historically been exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 120.0.6099.109 and later

Vendor Advisory: https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html

Restart Required: Yes

Instructions:

1. Open Chrome 2. Click three-dot menu → Help → About Google Chrome 3. Browser will check for and apply update 4. Click 'Relaunch' when prompted

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, but breaks most websites

Use browser extensions

all

Install NoScript or uBlock Origin to block malicious scripts

🧯 If You Can't Patch

Restrict browser usage to trusted websites only
Implement network segmentation and web filtering to block malicious domains

🔍 How to Verify

Check if Vulnerable:

Check Chrome version via chrome://version or Settings → About Chrome

Check Version:

google-chrome --version (Linux) or chrome://version (all platforms)

Verify Fix Applied:

Confirm version is 120.0.6099.109 or higher

📡 Detection & Monitoring

Log Indicators:

Browser crash logs with V8 errors
Unexpected process termination
Memory access violation events

Network Indicators:

Connections to suspicious domains followed by browser crashes
Unusual outbound traffic from browser processes

SIEM Query:

process_name:"chrome.exe" AND (event_id:1000 OR event_id:1001) AND message:"V8" OR process_name:"chrome" AND signal:SIGSEGV

📊 Metadata

CVE ID: CVE-2023-6702

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-843

Published: December 14, 2023

Last Updated: November 4, 2025

🔗 References

https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html Release Notes,Vendor Advisory
https://crbug.com/1501326 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/ Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202401-34
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html Release Notes,Vendor Advisory
https://crbug.com/1501326 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6NWZ23ZJ62XKWVNGHSIZQYILVJWH5BLI/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGJ732QHS2FAYF62RFF3YP4VIQY75K7V/
https://security.gentoo.org/glsa/202401-34

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6702, you might also want to check these: