LiveActive security incident?Get immediate response
CVE Record

CVE-2018-6065: Integer overflow in computing the required allocation size when instantiating a new javascript object in V8...

Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

HighCVSS 8.8Known exploitedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This is an old but serious Chrome V8 flaw. A malicious web page could corrupt browser memory when Chrome created a JavaScript object. Because CISA lists CVE-2018-6065 in KEV, treat remaining vulnerable installations as urgent legacy exposure, not a theoretical issue.

Executive priority

Prioritize remediation where legacy browser versions still exist. The vulnerability is high impact, remotely reachable through web content, and listed by CISA as known exploited. For current managed browsers, risk is mainly about finding exceptions and unsupported systems.

Technical view

CVE-2018-6065 is a CWE-190 integer overflow in V8 allocation-size calculation during JavaScript object instantiation. Chrome before 65.0.3325.146 could suffer heap corruption from crafted HTML. CVSS is 8.8 with network attack vector, low complexity, no privileges, user interaction required, and high confidentiality, integrity, and availability impact.

Likely exposure

Exposure is most likely on unmanaged endpoints, kiosks, embedded browser runtimes, or Linux systems still using Chrome before 65.0.3325.146. Red Hat and Debian advisories indicate distribution package relevance. Modern fully updated Chrome installations should not remain affected by this specific issue.

Exploitation context

The source bundle includes an Exploit-DB reference and CISA KEV status. KEV supports that this CVE has been exploited in the wild. The known attack path requires user interaction with crafted HTML, typically through web browsing or web content rendering.

Researcher notes

The public description gives the vulnerability class, affected component, trigger surface, and fixed Chrome version. The Chrome bug reference may restrict deeper root-cause detail, so avoid overstating internals beyond integer overflow leading to heap corruption during object allocation.

Mitigation direction

  • Update Google Chrome to 65.0.3325.146 or later.
  • Apply relevant Red Hat or Debian browser package advisories.
  • Remove or isolate unsupported legacy Chrome installations.
  • Check vendor guidance for embedded or bundled Chromium runtimes.
  • Prioritize KEV remediation tracking for any confirmed exposure.

Validation and detection

  • Inventory Chrome versions across endpoints and managed images.
  • Flag any Chrome version earlier than 65.0.3325.146.
  • Check Linux package status against vendor security advisories.
  • Confirm browser auto-update controls are functioning.
  • Review whether kiosks or embedded browsers use stale runtimes.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-190: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2018-6065 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
8Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H2.85.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

8.8High
CVSS 3.1 vector shape for CVE-2018-6065Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
GoogleChromeunspecifiedListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-190 · source CWE mapping

Integer Overflow or Wraparound

Integer Overflow or Wraparound represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.