Cyber Resilience

CVE-2023-6345

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 29 November 2023

Published
29 November 2023
Modified
24 October 2025
KEV Added
30 November 2023
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0129 80.0th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6345 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 20.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-6345 is an integer overflow vulnerability (CWE-190) in the Skia graphics library used by Google Chrome. It affected all versions prior to 119.0.6045.199 and carried a CVSS 3.1 score of 9.6.

A remote attacker who had already compromised the Chrome renderer process could supply a malicious file to trigger the flaw and potentially escape the sandbox, achieving elevated access on the host system.

The primary mitigation is the Stable Channel update published on 28 November 2023 that advances Chrome to 119.0.6045.199 or later; downstream Fedora advisories likewise distribute the patched builds.

The associated EPSS score rose materially from a low baseline to a peak of 0.2024 on 5 December 2024 before receding to its current value of 0.0129, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

CWE(s)
KEV Date Added
30 November 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 119.0.6045.199
debian
debian linux
11.0, 12.0
fedoraproject
fedora
37, 38, 39
microsoft
edge chromium
≤ 119.0.2151.97

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (Chrome 119.0.6045.199) that eliminates the reachable integer overflow in Skia.

prevent

Mandates validation of untrusted file data before Skia processing, blocking the malicious input that triggers the CWE-190 overflow and subsequent sandbox escape.

prevent

Enforces hardware/software process isolation boundaries around the renderer, limiting the impact of any successful Skia-based escape from that sandbox.

References