Actively Exploited Zero-Day Vulnerability in Google Chrome (CVE-2023-6345)

Google has released Chrome Version 119.0.6045.199 for Mac and Linux, and Version 119.0.6045.199/200 for Windows to address seven security issues, including a zero-day vulnerability (CVE-2023-6345).

Based on the official site for Chrome updates, “Google is aware of reports that an exploit for CVE-2023-6345 exists in the wild.”.

_____________________________

A. Nature of Vulnerability

CVE-2023-6348

Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10

CVE-2023-6347

Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21

CVE-2023-6346

Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09

CVE-2023-6350

Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13

CVE-2023-6351

Use after free in libavif. Reported by Fudan University on 2023-11-13

CVE-2023-6345

Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group on 2023-11-24

_____________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

Review and apply the necessary updates to mitigate future threats.
- Go to Chrome Settings > Help > About Google Chrome
For additional information, kindly refer to the official report
- https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html