--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'High Vulnerabilities in Google Chrome' version: '1.0' number: '2023-093' original_date: 'November 28, 2023' date: 'November 29, 2023' --- _History:_ * _29/11/2023 --- v1.0 -- Initial publication_ # Summary On November 28, Google has released an emergency security update to address six high vulnerabilities found in Chrome. Google is aware that an exploit exists for one of the vulnerabilities, tracked as `CVE-2023-6345` [1]. # Technical Details The high-severity zero-day vulnerability `CVE-2023-6345` is caused by an integer overflow weakness within the Skia open-source 2D graphics library, posing risks ranging from crashes to the execution of arbitrary code (Skia is also used as a graphics engine by other products like ChromeOS, Android, and Flutter) [2]. The other vulnerabilities are: - CVE-2023-6348: Type Confusion in `Spellcheck`. - CVE-2023-6347: Use after free in `Mojo`. - CVE-2023-6346: Use after free in `WebAudio`. - CVE-2023-6350: Out of bounds memory access in `libavif`. - CVE-2023-6351: Use after free in `libavif`. # Affected Products Google Chrome version prior to 119.0.6045.199 for Mac and Linux and prior to 119.0.6045.199/.200 for Windows are affected by these vulnerabilities. Other Chromium related projects depending on the `Skia` library might also be affected. # Recommendations Update the affected products to the latest versions available as soon as possible to mitigate the vulnerabilities. # References [1] [2]