Google has fixed a zeroday in Chrome for the second time in a short time. The vulnerability is an integer overflow in the text rendering engine Skia that allowed sandbox escape. That exploit was used in the wild, Google says.
Google has implemented the bug fix in Chromium. For Chrome, the fix is in the Stable Channel. These are versions 112.0.5615.137/138 for Windows and 112.0.5615.137 for macOS. In the update a total of eight vulnerabilities have been fixed. Five of these were suggested by external researchers. In one case it was a zero day.
This zero day is specifically a vulnerability CVE-2023-2136, an integer overflow in the Skia repository. Skia is an engine used in Chromium to render text. The vulnerability is estimated as high risk. According to Google, an attacker can use an exploit on a specially crafted HTML page to escape the sandbox. Several other bugs that have been fixed are also high risk. This includes two out of bounds memory vulnerabilities that were in the Service Worker API and a use after free in DevTools.
As usual, Google does not provide any further information about how the vulnerability was exploited in the wild. It is the second time in a short time that the company has fixed an actively exploited bug in the popular browser. That also happened on Saturday. It is not known whether there is a similarity between the two bugs.