May 17, 2023

Google Patches RCE Vulnerabilities in Chrome

Google has released Chrome version 113.0.5672.126/127 (Stable Channel), patching 12 vulnerabilities. Successful exploitation of some of these vulnerabilities could allow remote code execution (RCE) on the targeted system.

The RCE Vulnerabilities

• CVE-2023-2721, Critical – Use after free vulnerability in Navigation which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
• CVE-2023-2722, High – Use after free vulnerability in Autofill UI which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
• CVE-2023-2723, High – Use after free vulnerability in DevTools allows a remote attacker, who had compromised the renderer process, to potentially exploit heap corruption via a crafted HTML page.
• CVE-2023-2724, High – Type confusion vulnerability in V8 which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
• CVE-2023-2725, High – Use after free vulnerability in Guest View which allows a remote attacker, who convinced a user to install a malicious extension, to potentially exploit heap corruption via a crafted HTML page.

Affected Products

These vulnerabilities affect all unpatched Chrome and Chromium based browsers.

Mitigation

CYREBRO recommends updating browsers to the latest Chrome version, 113.0.5672.126/127 for Windows and 113.0.5672.126 for Mac and Linux.

For the full patched vulnerabilities list, visit Chrome Releases.

References: Chrome Releases.