Tuesday, Google released emergency patches for a second actively exploiting zero-day vulnerability of critical severity in its Chrome web browser.
The vulnerability, identified as CVE-2023-2136, is an integer overflow in the open-source 2D graphics library Skia. On April 12, 2023, Clément Lecigne of Google’s Threat Analysis Group (TAG) is attributed with discovering and reporting the vulnerability.
“Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a specially crafted HTML page,” according to the National Vulnerability Database (NVD) of the National Institute of Standards and Technology (NIST).
The tech behemoth, which also patched seven other security flaws with the latest update, acknowledged that the vulnerability is being actively exploited but did not disclose additional information to prevent further abuse.
This is the second Chrome zero-day vulnerability that malicious actors have exploited this year, and it comes just days after Google patched CVE-2023-2033 last week. It is not immediately apparent whether the two zero-day vulnerabilities have been chained together in the field.
Users are advised to upgrade to version 112.0.5615.137 for Windows, macOS, and Linux in order to prevent potential security risks. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also implement the updates as soon as they become available.
Must Read :