Google has issued an emergency update for an actively exploited integer overflow vulnerability in its Chrome browser. The flaw is the second zero-day bug in a week that Google has addressed.
The high-severity flaw (CVE-2023-2136) exists in Skia, an open-source graphics library that was acquired by Google in 2005 and serves as the graphics engine for Chrome, ChromeOS and Android. Clément Lecigne, with Google's Threat Analysis Group, was credited with reporting the flaw on April 12.
According to the National Institute of Standards and Technology's National Vulnerability Database, the “integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”
The update exists in version 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac, which will roll out over the coming days, according to Google.
Google did not give further details on the flaw: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to its Tuesday alert. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The bug was fixed alongside seven other flaws, including two high-severity out-of-bounds memory access issues (CVE-2023-2133 and CVE-2023-2134) in the Service Worker API, which earned their reporter, Rong Jian of VRI, $16,000 in rewards. Other issues include a use-after-free bug (CVE-2023-2135) in DevTools and heap buffer overflow (CVE-2023-2137) in sqlite.
Google’s zero-day alert follows an emergency update on Friday from Google fixing a type confusion bug in V8, its open source high-performance JavaScript and WebAssembly engine. The flaw (CVE-2023-2033), also reported by Lecigne, is fixed in version 112.0.5615.121.
The pair of flaws mark the first two zero-day vulnerabilities fixed by Google this year. Last year, the company fixed a number of zero days, including a high-severity heap buffer overflow bug (CVE-2022-2294) in WebRTC and high-severity insufficient data validation bug in the Mojo system API in Chromium.