What is Google Chrome's Skia?
Google Chrome is the world's most widely used web browser, running on hundreds of millions of desktops and devices. Chrome's multi-process architecture uses a sandbox to isolate the renderer process (which handles web content parsing and rendering) from the OS and other processes. Skia is the open-source 2D graphics library used by Chrome, Android, Flutter, and ChromeOS to render text, images, and geometric shapes. Vulnerabilities in Skia are particularly impactful because Skia processes attacker-controlled web content (images, CSS, canvas operations) and runs inside the Chrome renderer process — making it an attractive target for sandbox escape exploits that leverage a renderer compromise to execute code on the underlying OS.
Overview
CVE-2023-2136 is a zero-day integer overflow vulnerability in the Skia graphics library that enables a renderer-to-OS sandbox escape in Google Chrome. An attacker who has already achieved renderer process compromise (e.g., through a separate renderer bug) can exploit this integer overflow in Skia to escape the Chrome sandbox and execute code at the OS level. Google patched it on April 18, 2023 in Chrome 112.0.5615.137/138, confirming that the vulnerability was being exploited in the wild at the time of the patch. The Scope Changed (S:C) rating reflects the sandbox escape — impact crosses the boundary from the renderer process into the broader OS.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome (Windows/Mac/Linux) | Prior to 112.0.5615.137 | 112.0.5615.137 / 138 |
| ChromeOS / ChromeOS Flex | Prior to corresponding update | Apply via system update |
| Android Chrome | Prior to corresponding channel update | Apply via Google Play |
Other Skia-based products (Flutter, Android graphics stack) may also be affected by the underlying Skia bug.
Technical Details
CWE-190 (Integer Overflow or Wraparound). Skia performs mathematical calculations on dimensions and coordinates for rendering operations. An integer overflow occurs when an arithmetic operation produces a result that exceeds the maximum value for the data type, causing the value to wrap around to an unexpected small number. In Skia's rendering pipeline, an integer overflow in a bounds calculation or allocation size can cause the renderer to write graphics data outside the intended buffer bounds — a type confusion or out-of-bounds write exploitable for code execution.
The Scope Changed (S:C) CVSS rating captures the multi-step exploitation pattern: this vulnerability alone enables sandbox escape when chained with a renderer compromise. In practice, attackers chain a renderer vulnerability (to gain code execution inside the sandboxed renderer process) with a sandbox escape like CVE-2023-2136 (to escape the sandbox and reach the OS). CVE-2023-2136 is the second stage of such a chain.
Chrome's zero-day response cycle for in-the-wild exploitation is typically very fast — patches usually release within days of internal detection, and the KEV addition followed within three days of the patch.
Discovery
Reported to Google's Chrome security team. The zero-day status (in-the-wild exploitation at patch time) indicates the vulnerability was identified following active exploitation reports rather than through Google's internal fuzzing alone.
Exploitation Context
Skia integer overflow zero-days in Chrome are consistently exploited by commercial spyware vendors and sophisticated nation-state actors to achieve full OS-level code execution on target devices. The April 2023 Skia vulnerability follows a pattern of Skia-targeted exploitation that continued through 2023 — a later related Skia zero-day (CVE-2023-6345, also in KEV) was patched in November 2023. The S:C sandbox escape capability makes Skia zero-days extremely valuable in attack chains targeting journalists, dissidents, government officials, and enterprise executives.
User Interaction: Required reflects the need for the victim to visit a malicious webpage or open a malicious document in a Chromium-based browser, but this is a low bar — a single phishing link or drive-by redirect suffices.
Remediation
- Update Google Chrome to version 112.0.5615.137 or later immediately via Chrome's built-in updater (Menu → Help → About Google Chrome).
- Restart Chrome after updating to activate the patch — the update is not effective until Chrome relaunches.
- Apply updates to other Chromium-based browsers (Microsoft Edge, Brave, etc.) which share the Skia library.
- Apply ChromeOS system updates if running ChromeOS or ChromeOS Flex.
- For enterprise environments: use Chrome's Extended Stable channel and configure forced auto-update policies to minimize the window between patch availability and deployment.
- Consider enabling Chrome's Enhanced Safe Browsing for additional protection against drive-by exploitation delivery mechanisms.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-2136 |
| Vendor / Product | Google — Chromium Skia |
| NVD Published | 2023-04-19 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.6 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-190 find similar ↗ |
| CISA KEV Added | 2023-04-21 |
| CISA KEV Deadline | 2023-05-12 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-04-18 | Google releases Chrome 112.0.5615.137/138 patching CVE-2023-2136 — zero-day with in-the-wild exploitation confirmed |
| 2023-04-19 | CVE-2023-2136 published |
| 2023-04-21 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2023-05-12 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Google Chrome Stable Channel Update — April 18, 2023 | Vendor Advisory |
| NVD — CVE-2023-2136 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |