CVE-2023-2033

HIGH KEV

Google Chrome < 112.0.5615.121 - Remote Code Execution via V8 Type Confusion

Title source: llm

Exploitation Summary

CVE-2023-2033 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 17, 2023. EIP tracks 6 public exploits from researchers including mistymntncop, sandumjacob, insoxin.

AI-analyzed exploit summary This is a working exploit PoC for CVE-2023-2033, targeting a type confusion vulnerability in V8's TurboFan JIT compiler. It leverages 'The Hole' object to achieve memory corruption and arbitrary read/write primitives.

Description

Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Exploits (6)

nomisec WORKING POC 66 stars

by mistymntncop · client-side

https://github.com/mistymntncop/CVE-2023-2033

View Code ZIP pw:eip

This is a working exploit PoC for CVE-2023-2033, targeting a type confusion vulnerability in V8's TurboFan JIT compiler. It leverages 'The Hole' object to achieve memory corruption and arbitrary read/write primitives.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Chromium V8 (specific commit f7a3499f6d7e50b227a17d2bbd96e4b59a261d3c)

No auth needed

Prerequisites: V8 engine built from specific commit · d8 shell with --allow-natives-syntax flag

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 19 stars

by sandumjacob · poc

https://github.com/sandumjacob/CVE-2023-2033-Analysis

View Code ZIP pw:eip

This repository contains a working proof-of-concept for CVE-2023-2033, a vulnerability in V8's stack trace handling. The PoC includes test cases to demonstrate the behavior of stack traces with proxies and error objects, highlighting the vulnerability's impact.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: V8 JavaScript Engine (Chromium)

No auth needed

Prerequisites: Access to a vulnerable version of V8/JavaScript engine

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB 4 stars

by insoxin · poc

https://github.com/insoxin/CVE-2023-2033

View Code ZIP pw:eip

The repository contains only a README.md file with minimal information, lacking any exploit code or technical details for CVE-2023-2033.

Classification

Stub 10%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by tianstcht · poc

https://github.com/tianstcht/CVE-2023-2033

View Code ZIP pw:eip

The repository contains only a README.md file with a placeholder message 'coming soon' and no actual exploit code or technical details. No functional PoC or exploit is present.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec NO CODE

by gretchenfrage · poc

https://github.com/gretchenfrage/CVE-2023-2033-analysis

View Code ZIP pw:eip

vulncheck_xdb WORKING POC

client-side

https://github.com/rycbar77/V8Exploits

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2023-2033, demonstrating a V8 engine vulnerability. The PoC leverages memory corruption techniques (e.g., arbitrary read/write primitives) to achieve remote code execution (RCE) in a Chrome/Chromium environment.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome/Chromium (V8 engine)

No auth needed

Prerequisites: Vulnerable version of Chrome/Chromium with V8 engine · Ability to execute arbitrary JavaScript in the target environment

MITRE ATT&CK