April 19, 2023

Google Patches High-Severity Vulnerabilities in Chrome, One Being Exploited in the wild

Google has released Chrome version 112.0.5615.137/138 (Stable and Extended Stable Channel), patching 8 vulnerabilities, including one exploited in the wild.

Successful exploitation of some of these vulnerabilities could allow remote code execution in the context of the logged on user. The severity of the attack would depend on the privileges associated with the user’s account.

The High-Severity Vulnerabilities

• CVE-2023-2136, High – Integer overflow in Skia which allows a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The Vulnerability is being exploited in the wild.
• CVE-2023-2133 and CVE-2023-2134, High – Out of bounds memory access in Service Worker API allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
• CVE-2023-2135, High – Use after free in DevTools allows a remote attacker, who convinced a user to enable specific preconditions, to potentially exploit heap corruption via a crafted HTML page.

Affected Products

These vulnerabilities affect all unpatched Chrome and Chromium based browsers.

Mitigation

CYREBRO recommends updating browsers to the latest Chrome version, 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and Linux.

For the full patched vulnerabilities list, visit Chrome Releases.

References: Chrome Releases.