CVE-2023-6350 in Chromeinfo

Summary

by MITRE • 11/29/2023

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High)

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/17/2025

The vulnerability CVE-2023-6350 represents a critical use-after-free condition in the libavif library component of Google Chrome, affecting versions prior to 119.0.6045.199. This flaw resides within the handling of avif image files and constitutes a high-severity issue according to Chromium security assessments. The vulnerability occurs when the application processes malformed avif files that trigger improper memory management during object deallocation, creating opportunities for heap corruption that can be exploited remotely by attackers.

The technical implementation of this vulnerability stems from inadequate memory management practices within the libavif library implementation. When Chrome encounters a crafted avif file, the memory allocation and deallocation sequences become corrupted due to the use of freed memory locations. This use-after-free condition allows an attacker to manipulate memory contents and potentially execute arbitrary code on the target system. The flaw specifically manifests during the parsing and processing of avif image metadata, where memory objects are freed but subsequently referenced, creating a dangerous window for exploitation.

From an operational impact perspective, this vulnerability enables remote code execution capabilities for attackers who can convince victims to view maliciously crafted avif files through Chrome. The attack vector is particularly concerning as it requires no user interaction beyond visiting a malicious webpage or opening a compromised file, making it highly exploitable in phishing campaigns or drive-by download scenarios. The heap corruption resulting from this flaw can be leveraged to overwrite critical memory structures, potentially leading to complete system compromise. This vulnerability aligns with CWE-416, which specifically addresses use-after-free conditions in software implementations, and represents a classic example of memory safety issues that have plagued multimedia processing libraries.

The exploitation of CVE-2023-6350 demonstrates the broader security implications of third-party library vulnerabilities within browser ecosystems, where a single flaw in a dependency can compromise the entire application. Attackers can leverage this vulnerability through various delivery mechanisms including web-based attacks, email attachments, or malicious file downloads, making it particularly dangerous for enterprise environments. The vulnerability's classification under the Chromium security severity scale as high indicates the substantial risk it poses to users and organizations relying on affected Chrome versions. Mitigation strategies should prioritize immediate patching of Chrome installations to version 119.0.6045.199 or later, while network administrators should consider implementing additional security controls such as content filtering and web application firewalls to prevent access to known malicious avif files. Organizations should also conduct comprehensive vulnerability assessments to identify other potential impacts from similar third-party library issues within their browser-based applications and security infrastructure.

Reservation

11/28/2023

Disclosure

11/29/2023

Moderation

accepted

CPE

ready

EPSS

0.01118

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!