Cve 2023 2136

Recently, Google released an emergency security update to fix another Chrome zero-day vulnerability actively exploited in the wild. This zero-day flaw has been tracked as CVE-2023-2136 and is the second zero-day vulnerability found this year.In this case, the most exciting development is that Google knows a working exploit for CVE-2023-2136 is already available in the wild.While Google releases this update through Stable Channel Update for all the major platforms, and here we have mentioned them accordingly:-Windows: 112.0.5615.137/138Mac: 112.0.5615.137 Linux: 112.0.5615.165This new emergency update from Google for Chrome comes with eight bug fixes. High CVE-2023-2133: Out-of-bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30High CVE-2023-2134: Out-of-bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30High CVE-2023-2135: Use after free in DevTools. Reported by Cassidy Kim(@cassidy6564) on 2023-03-14High CVE-2023-2136: Integer overflow in Skia. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-04-12 (Zero Day)Medium CVE-2023-2137: Heap buffer overflow in SQLite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05Besides this, Google asserted that the stable release will soon be available to all users of the above-mentioned platforms in the coming few days or weeks.Second Google Chrome Zero-Day Bug of this yearThis newly detected vulnerability is the second Google Chrome zero-day flaw found this year and has been actively exploited in the wild.Here below, we have mentioned the details of both zero-day vulnerabilities found this year:-Here the first one:-CVE ID: CVE-2023-2033Description: It’s a type of Confusion in V8.Severity: HIGHReporting: It has been reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-04-11.Here the second one:-CVE ID: CVE-2023-2136 Description: It’s an integer overflow in Skia.Severity: HIGHReporting: It has been reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-04-12.Skia, a widely-used open-source 2D graphics library owned by Google and written in C++, has been found to contain this critical vulnerability (CVE-2023-2136). This high-severity vulnerability involves an integer overflow and has the potential to cause significant harm to the affected systems.Skia is an essential component of Chrome’s rendering pipeline, as it offers a wide range of APIs that enable the browser to render:-GraphicsShapesTextAnimationsImages All these features make it a powerful tool for developers, enabling them to create stunning web experiences and deliver high-quality graphics across multiple platforms.Among the most common software vulnerabilities, integer overflow bugs arise when a given operation generates a value that surpasses the maximum limit for the particular integer type being used. Such incidents frequently lead to unintended software behavior, often presenting security threats that can expose the system to unauthorized access or malicious attacks.“Google is aware that an exploit for CVE-2023-2136 exists in the wild.” Google said.Besides, Google has not provided further details in the brief to give the users time to patch their vulnerable Chrome versions. Not only that, doing so will also prevent any further exploitation. To address the actively exploited security issue, the following are the steps that you need to follow to start the manual process of

CVE-2023-2136: Integer overflow in Skia- Medium CVE-2023-2137: Heap buffer overflow in sqliteAs usual, our ongoing internal security work was responsible for a wide range of fixes:- [1434139] Various fixes from internal audits, fuzzing and other initiativesGoogle Chrome 112.0.5615.121Security Fixes:- High CVE-2023-2033: Type Confusion in V8- Various fixes from internal audits, fuzzing and other initiativesGoogle Chrome 112.0.5615.49- High CVE-2023-1810: Heap buffer overflow in Visuals- High CVE-2023-1811: Use after free in Frames- Medium CVE-2023-1812: Out of bounds memory access in DOM Bindings- Medium CVE-2023-1813: Inappropriate implementation in Extensions- Medium CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing- Medium CVE-2023-1815: Use after free in Networking APIs- Medium CVE-2023-1816: Incorrect security UI in Picture In Picture- Medium CVE-2023-1817: Insufficient policy enforcement in Intents- NA1223346 Medium CVE-2023-1818: Use after free in Vulkan- NA1406588 Medium CVE-2023-1819: Out of bounds read in Accessibility- TBD1408120 Medium CVE-2023-1820: Heap buffer overflow in Browser History- Low CVE-2023-1821: Inappropriate implementation in WebShare- Low CVE-2023-1822: Incorrect security UI in Navigation- TBD1406900 Low CVE-2023-1823: Inappropriate implementation in FedCMVarious fixes from internal audits, fuzzing and other initiatives:- Content Security Policy: Apply strict-dynamic for ScriptSpeculationRules- aw: Fix metrics service unbinding when not bound- Updating XTBs based on .GRDs from branch 5615- CCA: Hide grid lines when grid disabled or not streaming- Consume history user activation unconditionally when a traversal navigate event has its default prevented- Only render ntp-lens-upload-dialog in dom once its opened rather than- [Merge to M112] Prerender: Grant mojo bindings on cross-origin iframes after activation- Don't crash if a misconfigured printer is missing a URI attribute- [Merge 112] Site Data Dialog: Stop caching PSCS BDM pointers- Don't pre-match ::-webkit-scrollbar with trailing selectors- [M112 merge]: Initialize WaylandTextInputDelegate::pending_focus_reason_ by default- [M112][RDSG] Use CurrentLog as annotation mode for Synthetic TrialGoogle Chrome 111.0.5563.146- Change log not available for this versionGoogle Chrome 111.0.5563.110Security Fixes:- High CVE-2023-1528: Use

Google's policy states that no bug bounty will be rewarded for this particular flaw.image © 2025. all rights reserved.Why is the Vulnerability Critical?Heap buffer overflow issues like Chrome Zero-Day Vulnerability CVE-2023-4863 are perilous because they can be exploited to bring down an application and potentially provide a gateway for hackers to run arbitrary code. This is particularly alarming when the application in question is a browser, as it serves as a gateway to the Internet and holds a wealth of information, including login credentials and personal data.Also, the fact that Citizen Lab and Apple SEAR were the entities that reported this flaw raises eyebrows. Commercial spyware companies often offer complex exploit chains that include Chrome vulnerabilities, targeting not only desktop users but also Android mobile users.Here is an insightful article on why browser vulnerabilities are a critical issue.Google’s Chrome Patch DetailsGoogle responded by releasing an emergency security update to mitigate Chrome Zero-Day Vulnerability CVE-2023-4863. Chrome users should now look for version 116.0.5845.187 for macOS and Linux, and as versions 116.0.5845.187/.188 for Windows. It is crucial to apply this update as soon as possible to safeguard against potential exploits.To update your Chrome browser, follow these steps.The Landscape of Zero-Day Vulnerabilities in 2023It is worth noting that CVE-2023-4863 is the fourth zero-day vulnerability that Google has addressed in Chrome this year. Earlier, they had patched CVE-2023-3079 (type confusion in the V8 engine) in June and CVE-2023-2033 (type confusion in the V8 engine) and CVE-2023-2136 (integer overflow in Skia) in April. This series

Pierluigi Paganini September 11, 2023 Google rolled out emergency security updates to address a new Chrome zero-day (CVE-2023-4863) actively exploited in the wild.Google rolled out emergency security updates to address a zero-day vulnerability that has been actively exploited in attacks in the wild since the start of the year.The vulnerability, tracked as CVE-2023-4863, is the fourth actively exploited zero-day fixed by Google in 2023.The flaw CVE-2023-4863 is a critical heap buffer overflow that resides in the WebP. The issue was reported to the IT giant by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06.“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.” reads the announcement made by Google. “Google is aware that an exploit for CVE-2023-4863 exists in the wild.”According to the advisory, the Stable and Extended stable channels have been updated to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows, which will be released over the coming days/weeks.As usual, Google did not publicly share details of the attacks, however, the fact that the issue was reported by Citizen Lab suggests that the vulnerability may have been exploited in attacks against high-profile individuals such as journalists or dissidents.This year Google already addressed the following actively exploited zero-day flaws in Chrome:CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics libraryCVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Chrome)

Google Chrome 134.0.6998.89Security fixes:- High CVE-2025-1920: Type Confusion in V8- High CVE-2025-2135: Type Confusion in V8- High CVE-TBD: Out of bounds write in GPU- Medium CVE-2025-2136: Use after free in Inspector- Medium CVE-2025-2137: Out of bounds read in V8Google Chrome 134.0.6998.45Security Fixes and Rewards:- High CVE-2025-1914: Out of bounds read in V8- Medium CVE-2025-1915: Improper Limitation of a Pathname to a Restricted Directory in DevTools- Medium CVE-2025-1916: Use after free in Profiles- Medium CVE-2025-1917: Inappropriate Implementation in Browser UI- Medium CVE-2025-1918: Out of bounds read in PDFium- Medium CVE-2025-1919: Out of bounds read in Media- Medium CVE-2025-1921: Inappropriate Implementation in Media Stream- Low CVE-2025-1922: Inappropriate Implementation in Selection- Low CVE-2025-1923: Inappropriate Implementation in Permission Prompts- Various fixes from internal audits, fuzzing and other initiativesGoogle Chrome 133.0.6943.142- Various fixes from internal audits, fuzzing and other initiativesGoogle Chrome 133.0.6943.127Security fixes:- High CVE-2025-0999: Heap buffer overflow in V8- High CVE-2025-1426: Heap buffer overflow in GPU- Medium CVE-2025-1006: Use after free in NetworkGoogle Chrome 133.0.6943.54Security fixes:- High CVE-2025-0444: Use after free in Skia- High CVE-2025-0445: Use after free in V8- Medium CVE-2025-0451: Inappropriate implementation in Extensions API- Various fixes from internal audits, fuzzing and other initiativesGoogle Chrome 132.0.6834.160Security fixes:- CVE-2025-0762: Use after free in DevTools- Various fixes from internal audits, fuzzing and other initiativesGoogle Chrome 132.0.6834.111- Change log not available for this versionGoogle Chrome 132.0.6834.84Security fixes:- High CVE-2025-0434: Out of bounds memory access in V8- High CVE-2025-0435: Inappropriate implementation in Navigation- High CVE-2025-0436: Integer overflow in Skia- High CVE-2025-0437: Out of bounds read in Metrics- High CVE-2025-0438: Stack buffer overflow in Tracing- Medium CVE-2025-0439: Race in Frames- Medium CVE-2025-0440: Inappropriate implementation in Fullscreen- Medium CVE-2025-0441: Inappropriate implementation in Fenced Frames- Medium CVE-2025-0442: Inappropriate implementation in Payments- Medium CVE-2025-0443: Insufficient data validation in Extensions- Low CVE-2025-0446: Inappropriate implementation in Extensions- Low CVE-2025-0447: Inappropriate implementation in