Google has issued security updates for its Chrome browser to address a number of vulnerabilities, including a zero-day flaw that has already been exploited by hackers. This is the second Chrome zero-day vulnerability that the tech giant fixed in less than a week.
The new zero-day, tracked as CVE-2023-2136, is an integer overflow issue that resides in Skia component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system.
Skia is a 2D graphics library commonly used in web browsers, operating systems, and other software applications.
Besides CVE-2023-2136, Google addressed three remote execution flaws: two of them (CVE-2023-2133 and CVE-2023-2134) are buffer overflow issues affecting Service Worker API, and the third (CVE-2023-2135) is a use-after-free issue within the DevTools component.
The company did not share any details on attacks exploiting the zero-day flaw.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google noted in a security advisory.
The new Chrome updates (112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac) will be available in the coming days/weeks, and the Chrome version for Linux is “coming soon.”
