The flaw, tracked as CVE-2023-2136, is a case of integer overflow in Skia, an open-source 2D graphics library. Clément Lecigne of Google’s Threat Analysis Group (TAG) discovered and reported the flaw on April 12, 2023.
“Integer overflow in Skia in Google Chrome before 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,” according to the NIST’s National Vulnerability Database (NVD).
The tech giant, which also fixed seven other security issues with the latest update, said it’s aware of active exploitation of the flaw but did not disclose additional details to prevent further abuse.
The development marks the second Chrome zero-day vulnerability to be exploited by malicious actors and comes merely days after Google patched CVE-2023-2033 last week. It’s not immediately clear if the two zero-days have been chained together as part of in-the-wild attacks.
Users should upgrade to version 112.0.5615.137 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.