Google has released an update for Chrome to fix several new vulnerabilities, including one rated high severity that is currently being exploited.
The vulnerability in question, CVE-2023-6345, is listed as an integer overflow issue in Skia, an open-source 2D graphics library written in C++.
“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the tech giant said.
The vulnerability was reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group (TAG) on November 24. That would suggest that the zero-day flaw could be linked to the delivery of commercial spyware.
Read more on Chrome updates: Google Releases Chrome Patch to Fix New Zero-Day Vulnerability
The TAG is often involved in tracking such threats, particularly state-sponsored attacks on individuals such as dissidents and activists that autocratic regimes want to covertly monitor.
In September, for example, TAG’s Lecigne reported another high-severity zero-day bug in Chrome under exploitation that was patched in the 117.0.5938.132 release. His colleague Maddie Stone confirmed that the vulnerability was “in use by a commercial surveillance vendor.”
Google said that access to the details of the vulnerability “may be kept restricted until a majority of users are updated with a fix,” or if it exists in a third-party library that other projects depend on but haven’t yet fixed.
“The Stable channel has been updated to 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, which will roll out over the coming days/weeks,” it added.
The other vulnerabilities listed in this update are all high severity:
- CVE-2023-6348 is a type confusion issue in Spellcheck
- CVE-2023-6347 is a use-after-free vulnerability in Mojo
- CVE-2023-6346 is a use-after-free bug in WebAudio
- CVE-2023-6350 is an out-of-bounds memory access issue in the libavif codec library
- CVE-2023-6351 is a use-after-free bug in libavif
Image credit: QubixStudio / Shutterstock.com