CVE-2023-2136

CVSS 9.6 CRITICALEPSS 5.8%● KEVCWE-190

Vexday Risk Score

58Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.6EPSS 5.8%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

19 Apr 2023Published on NVD

21 Apr 2023Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A flaw in Chrome's graphics library (Skia) allows an attacker who already controls the browser's rendering process to escape the security sandbox and gain full system access by using a specially crafted webpage.

Technical detail

Integer overflow vulnerability in Skia graphics renderer enables sandbox escape when renderer process is compromised; attacker crafts malicious HTML to trigger the overflow, potentially escalating privileges to system level. Requires prior renderer compromise but results in critical sandbox bypass.

Summary generated and translated by AI from the official description.

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Google · Chrome

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References