Exploitation Summary
CVE-2018-17480 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2022.
Description
Execution of user supplied Javascript during array deserialization leading to an out of bounds write in V8 in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
References (7)
Core 7
Core References
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-17480
Exploit, Issue Tracking x_refsource_misc
https://crbug.com/905940
Vendor Advisory x_refsource_confirm
https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3803
Mailing List, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4352
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106084
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201908-18
Scores
CVSS v3
8.8
EPSS
0.3044
EPSS Percentile
96.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2022-06-08
VulnCheck KEV
2019-09-24
InTheWild.io
2020-03-25
ENISA EUVD
EUVD-2018-9233
CWE
CWE-787
Status
published
Products (5)
debian/debian_linux
9.0
google/chrome
< 71.0.3578.80
redhat/enterprise_linux_desktop
6.0
redhat/enterprise_linux_server
6.0
redhat/enterprise_linux_workstation
6.0
Published
Dec 11, 2018
KEV Added
Jun 08, 2022
Tracked Since
Feb 18, 2026