Google deployed an emergency fix on Tuesday to address another serious zero-day vulnerability actively being exploited in its Chrome web browser.
defects tracked as CVE-2023-2136, described as an integer overflow case in Skia, an open source 2D graphics library. Clément Lecigne of Google’s Threat Analysis Group (TAG) is credited for discovering and reporting this vulnerability on April 12, 2023.
According to NIST’s National Vulnerability Database (NVD), “An integer overflow in Skia in Google Chrome prior to 112.0.5615.137 could allow a remote attacker to compromise the renderer process and perform a sandbox escape via a specially crafted HTML page. It could have been done.”
The tech giant, whose latest update also fixed seven other security issues, said it was aware of active exploitation of the flaw, but declined to disclose additional details to prevent further exploitation.
The development is the second Chrome zero-day vulnerability exploited by malicious actors this year, just days after Google patched CVE-2023-2033 last week. It is not immediately clear whether the two zero-days are chained together as part of an actual attack.
We recommend upgrading to version 112.0.5615.137 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also encouraged to apply the fix as it becomes available.
