CVE-2023-0134: 
vulnerability analysis and mitigation

A Use-after-free vulnerability (CVE-2023-0134) was discovered in the Cart feature of Google Chrome versions prior to 109.0.5414.74. The vulnerability was reported by Chaoyuan Peng (@ret2happy) on November 17, 2022, and was assigned a Medium severity rating by the Chromium security team (Chrome Release).

The vulnerability is a Use-after-free condition in the Cart functionality of Google Chrome. It allows an attacker to potentially exploit heap corruption through database corruption when combined with a crafted HTML page, but only after convincing a user to install a malicious extension (CVE Mitre). The vulnerability was deemed significant enough to warrant a $2,500 bounty reward (Chrome Release).

The vulnerability could potentially lead to heap corruption if successfully exploited, but requires user interaction in the form of installing a malicious extension. The Chromium security team classified this as a Medium severity issue, indicating significant but not critical risk (Chrome Release).

The vulnerability was patched in Chrome version 109.0.5414.74. Users and administrators are advised to update to this version or later to mitigate the risk. The fix was included in the January 2023 stable channel update for Chrome desktop (Chrome Release, Gentoo Security).