CVE-2023-2136: Google Chrome Skia Integer Overflow Vulnerability
First published: Wed Apr 12 2023(Updated: )
<p>This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see <a href="https://chromereleases.googleblog.com/2023">Google Chrome Releases</a> for more information.</p> <p>Google is aware that an exploit for CVE-2023-2136 exists in the wild.</p>
Credit: Clément Lecigne Google's Threat Analysis Group chrome-cve-admin@google.com chrome-cve-admin@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Edge | <112.0.1722.54 | |
| debian/chromium | <=90.0.4430.212-1~deb10u1 | 116.0.5845.180-1~deb11u1 119.0.6045.123-1~deb11u1 116.0.5845.180-1~deb12u1 119.0.6045.123-1~deb12u1 119.0.6045.105-1 119.0.6045.123-1 |
| Google Chrome | <112.0.5615.137 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| Google Chrome | <112.0.5615.137 | 112.0.5615.137 |
| Google Chrome | =120.0.6099.224 | |
| Google Chrome | =120.0.6099.225 | |
| Google Chrome | =120.0.6099.234 | |
| Microsoft Edge (Chromium-based) | ||
| Google Android | ||
| Google Chromium Skia |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://android.googlesource.com/platform/external/skia/+/cfaa1ca1ceec8ec46ffbc89f707d280007a52c83
- https://source.android.com/docs/security/bulletin/2023-07-01 (Advisory)
- https://www.bleepingcomputer.com/news/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2024/
- https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html (Advisory)
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2136 (Advisory)
- https://crbug.com/1432603
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AOSGAOPXLBK4A5ZRTVZ4M6QKVLSWMWG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ES2CDRHR2Y4WY6DNDIAPYZFXJU3ZBFAV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FEJZMAUB4XP44HSHEBDWEKFGA7DUHY42/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHHD6KNH4WLUE6JG6HRQZWNAJMHJ32X7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJQI63HWZFL6M26Q6UOHKDY6LD2PFC5Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLO7BL2MHZYPY6O3OAEAQL3SKYMGGO6M/
- https://security.gentoo.org/glsa/202309-17
- https://www.debian.org/security/2023/dsa-5393
- https://security-tracker.debian.org/tracker/CVE-2023-2136
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID for the Google Chrome Skia Integer Overflow vulnerability?
The vulnerability ID for the Google Chrome Skia Integer Overflow vulnerability is CVE-2023-2136.
What is the severity of CVE-2023-2136?
The severity of CVE-2023-2136 is critical with a severity value of 9.
Which software products are affected by CVE-2023-2136?
The affected software products include Google Chrome, Google Android, Microsoft Edge (Chromium-based), Microsoft Edge, Debian Debian Linux, and Fedoraproject Fedora.
Where can I find more information about CVE-2023-2136?
You can find more information about CVE-2023-2136 at the following references: - [Microsoft Security Response Center](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2136) - [Google Chrome Releases](https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html) - [Android Googlesource](https://android.googlesource.com/platform/external/skia/+/cfaa1ca1ceec8ec46ffbc89f707d280007a52c83)
How do I fix the Google Chrome Skia Integer Overflow vulnerability?
To fix the Google Chrome Skia Integer Overflow vulnerability, update your software to the latest version available from the respective vendors' websites.
- collector/msrc-cve
- collector/msrc
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- exploited/true
- collector/chrome-releases
- agent/software-canonical-lookup
- agent/title
- agent/author
- agent/references
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-0519
- alias/CVE-2024-0517
- alias/CVE-2024-0518
- alias/CVE-2023-7024
- alias/CVE-2023-6345
- alias/CVE-2023-5217
- alias/CVE-2023-4863
- alias/CVE-2023-3079
- alias/CVE-2023-4762
- alias/CVE-2023-2136
- alias/CVE-2023-2033
- agent/severity
- agent/weakness
- zeroday/true
- agent/news-ai
- collector/android-source
- source/Android
- agent/last-modified-date
- agent/event
- agent/softwarecombine
- agent/tags
- agent/description
- collector/cisa-known-exploited
- source/CISA
- vendor/microsoft
- canonical/microsoft edge
- package-manager/debian
- vendor/google
- canonical/google chrome
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- version/google chrome/120.0.6099.224
- version/google chrome/120.0.6099.225
- version/google chrome/120.0.6099.234
- canonical/microsoft edge (chromium-based)
- canonical/google android
- canonical/google chromium skia