Vulnerability Details : CVE-2023-6345
Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Vulnerability category: Overflow
Products affected by CVE-2023-6345
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
CVE-2023-6345 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Google Skia Integer Overflow Vulnerability
CISA required action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CISA description:
Google Chromium Skia contains an integer overflow vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a malicious file. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.
Notes:
This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-d
Added on
2023-11-30
Action due date
2023-12-21
Exploit prediction scoring system (EPSS) score for CVE-2023-6345
15.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-6345
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.6
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
2.8
|
6.0
|
NIST |
CWE ids for CVE-2023-6345
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-6345
-
https://crbug.com/1505053
Sign in - Google AccountsPermissions Required
-
https://security.gentoo.org/glsa/202401-34
Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities (GLSA 202401-34) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7XQNYZZA3X2LBJF57ZHKXWOMJKNLZYR/
[SECURITY] Fedora 37 Update: chromium-119.0.6045.199-1.fc37 - package-announce - Fedora Mailing-ListsMailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T7ABNYMOI4ZHVCSPCNP7HQTOLGF53A2/
[SECURITY] Fedora 38 Update: chromium-119.0.6045.199-1.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html
Chrome Releases: Stable Channel Update for DesktopRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ/
[SECURITY] Fedora 39 Update: chromium-119.0.6045.199-1.fc39 - package-announce - Fedora Mailing-ListsMailing List
-
https://www.debian.org/security/2023/dsa-5569
Debian -- Security Information -- DSA-5569-1 chromiumMailing List
Jump to