AI description
CVE-2023-36880 is a vulnerability found in a Microsoft Edge Virtualization Based Security (VBS) enclave module. The vulnerability exists due to improper validation of source and destination addresses within the enclave's `SealSettings` and `UnsealSettings` functions. These functions encrypt and decrypt data buffers, respectively. Because the functions don't validate the addresses used, they can be manipulated to point to arbitrary memory locations within the enclave, enabling read and write access to protected memory. Exploiting this vulnerability allows attackers to read and write arbitrary data within the VBS enclave. Although initially classified as an information disclosure vulnerability, it has been acknowledged that CVE-2023-36880 can potentially lead to limited code execution within the enclave. The vulnerability was discovered by Alex Gough of the Chrome Security Team, who also developed a proof-of-concept exploit. Please note that this information is current as of March 1, 2025, and may change as new information becomes available.
- Description
- Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
- Source
- secure@microsoft.com
- NVD status
- Modified
CVSS 3.1
- Type
- Secondary
- Base score
- 4.8
- Impact score
- 2.5
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7F3A842F-A2C5-40B0-9C88-9F1D2E8C4370",
"versionEndExcluding": "120.0.2210.61"
}
],
"operator": "OR"
}
]
}
]