Cyber Resilience

CVE-2023-2136

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 19 April 2023

Published
19 April 2023
Modified
24 October 2025
KEV Added
21 April 2023
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0044 63.5th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2136 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 36.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-2136 is an integer overflow vulnerability in the Skia graphics library within Google Chrome versions prior to 112.0.5615.137. The flaw is tracked under CWE-190 and received a CVSS 3.1 score of 9.6, reflecting its high severity in the Chromium security framework.

A remote attacker who had already compromised the renderer process could exploit the issue by serving a crafted HTML page, potentially achieving a sandbox escape that grants access to resources outside the renderer’s restricted environment.

Chrome stable channel updates and downstream Fedora package advisories direct users to upgrade to version 112.0.5615.137 or later to address the vulnerability.

The associated EPSS score rose from a low baseline to a recorded peak of 0.0104, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
21 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 112.0.5615.137
debian
debian linux
11.0
fedoraproject
fedora
36, 37, 38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that eliminates the integer-overflow flaw in Skia.

prevent

Enforces process isolation boundaries that the renderer sandbox relies on, blocking the post-compromise escape path.

prevent

Limits privileges granted to the renderer process, reducing the impact and feasibility of a successful sandbox escape.

References