cbcvebase.
CVE-2023-2136
published 2023-04-19

CVE-2023-2136: Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a…

PriorityP186critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-05-12
Exploited in the wild
EPSS
5.79%
92.2th percentile
Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Affected

16 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 112.0.5615.138-1~deb11u1112.0.5615.138-1~deb11u1
chromiumchromium>= 0 < 112.0.5615.138-1112.0.5615.138-1
chromiumchromium>= 0 < 112.0.5615.138-1112.0.5615.138-1
chromiumchromium>= 0 < 112.0.5615.138-1112.0.5615.138-1
debianchromium< chromium 112.0.5615.138-1 (bookworm)chromium 112.0.5615.138-1 (bookworm)
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
googleandroid
googlechrome< 112.0.5615.137112.0.5615.137
googlechrome>= 112.0.5615.137 < 112.0.5615.137112.0.5615.137
googlechrome_chrome
msrcmicrosoft_edge
platformexternal_skia>= 13-next:0 < 13-next:2023-07-0113-next:2023-07-01
platformexternal_skia>= 13:0 < 13:2023-07-0113:2023-07-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is actively exploited in the wild (confirmed by Google and CISA KEV); prioritize detection of unpatched Chrome/Edge instances below version 112.0.5615.137
  • Attack vector is a crafted HTML page delivered to a victim running a vulnerable Chromium-based browser; monitor for renderer process anomalies or unexpected child process spawning from browser processes (potential sandbox escape indicator)
  • Scope of affected products is broad: Google Chrome, ChromeOS, Android 13, Flutter, and Microsoft Edge (Chromium-based); ensure detection/patching coverage spans all these platforms
  • On Android, track AOSP reference A-278113033 for patch verification on Android 13 devices; exploitation type is classified as RCE
  • ·Fixed version threshold for Google Chrome (desktop) is 112.0.5615.137; any version prior to this is vulnerable
  • ·Fixed Debian package version is 112.0.5615.138-1 across bookworm, bullseye, forky, sid, and trixie releases
  • ·CISA KEV remediation deadline was 2023-05-12; any asset not yet patched is significantly overdue

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv9.6CRITICAL
vulncheck9.6CRITICAL
cisa9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.