CVE-2023-6345
Published: 29 November 2023
Summary
CVE-2023-6345 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 20.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-6345 is an integer overflow vulnerability (CWE-190) in the Skia graphics library used by Google Chrome. It affected all versions prior to 119.0.6045.199 and carried a CVSS 3.1 score of 9.6.
A remote attacker who had already compromised the Chrome renderer process could supply a malicious file to trigger the flaw and potentially escape the sandbox, achieving elevated access on the host system.
The primary mitigation is the Stable Channel update published on 28 November 2023 that advances Chrome to 119.0.6045.199 or later; downstream Fedora advisories likewise distribute the patched builds.
The associated EPSS score rose materially from a low baseline to a peak of 0.2024 on 5 December 2024 before receding to its current value of 0.0129, indicating a period of increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58586
Vulnerability details
Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 30 November 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (Chrome 119.0.6045.199) that eliminates the reachable integer overflow in Skia.
Mandates validation of untrusted file data before Skia processing, blocking the malicious input that triggers the CWE-190 overflow and subsequent sandbox escape.
Enforces hardware/software process isolation boundaries around the renderer, limiting the impact of any successful Skia-based escape from that sandbox.