CVE-2018-6065

HIGH KEV

Google Chrome <65.0.3325.146 - Heap Corruption

Title source: llm

Exploitation Summary

CVE-2018-6065 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2022. EIP tracks 2 public exploits from researchers including Google Security Research, b1tg.

AI-analyzed exploit summary The exploit leverages an integer overflow in V8's JSFunction::CalculateInstanceSizeForDerivedClass, allowing memory corruption via a crafted prototype chain with large expected_nof_properties. This results in an undersized allocation, leading to a crash or potential RCE.

Description

Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Google Security Research · textremotemultiple

https://www.exploit-db.com/exploits/44584

View Code ZIP pw:eip

The exploit leverages an integer overflow in V8's JSFunction::CalculateInstanceSizeForDerivedClass, allowing memory corruption via a crafted prototype chain with large expected_nof_properties. This results in an undersized allocation, leading to a crash or potential RCE.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome (V8 Engine) < 64.0.3282.119

No auth needed

Prerequisites: Target must visit a malicious webpage or execute crafted JavaScript

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by b1tg · client-side

https://github.com/b1tg/CVE-2018-6065-exploit

View Code ZIP pw:eip

This repository contains a working exploit for CVE-2018-6065, a V8 JavaScript engine vulnerability. The exploit leverages memory corruption to achieve arbitrary code execution via shellcode injection.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome V8 Engine (versions affected by CVE-2018-6065)

No auth needed

Prerequisites: Vulnerable version of Chrome/V8 · Ability to execute JavaScript in the target environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6065

Exploit, Issue Tracking x_refsource_misc

https://crbug.com/808192

Release Notes, Vendor Advisory x_refsource_confirm

https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/103297

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:0484

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44584/

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2018/dsa-4182

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-19-367/

Scores

CVSS v3 8.8

EPSS 0.5882

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-06-08

VulnCheck KEV 2019-09-24

InTheWild.io 2020-03-25

ENISA EUVD EUVD-2018-17828

CWE

CWE-190

Status published

Products (6)

debian/debian_linux 9.0

google/chrome < 65.0.3325.146

mi/mi6_browser

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_workstation 6.0

Published Nov 14, 2018

KEV Added Jun 08, 2022

Tracked Since Feb 18, 2026