Search
On this page ▾
CVE-2023-6345 — Google Skia Integer Overflow Vulnerability

CVE-2023-6345

Google Chrome / Chromium Skia Graphics Engine — Zero-Day Integer Overflow Enables Sandbox Escape; Chrome 119.0.6045.199 Emergency Patch; November 2023
🔥 CVSS 3.1  9.6 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Skia?

Skia is Google's open-source 2D graphics rendering library used by Chrome, ChromeOS, Android, Flutter, and other products to render canvas operations, images, and UI elements. In Chrome, Skia executes within the renderer process — the sandboxed process that handles web page rendering and JavaScript execution. A vulnerability in Skia that allows memory corruption within the renderer process is typically exploitable as a sandbox escape primitive: if an attacker has already achieved renderer process code execution (often via a separate V8/JavaScript engine exploit), a Skia sandbox escape allows them to break out of Chrome's sandboxing and execute arbitrary code on the host OS with the Chrome process's privileges.

Overview

CVE-2023-6345 is a zero-day integer overflow vulnerability in Chrome's Skia graphics engine, exploited as a sandbox escape in the context of full Chrome compromise chains. Google released an emergency patch on November 28, 2023 (Chrome 119.0.6045.199/200) and CISA added it to KEV the same day. Integer overflow vulnerabilities in graphics rendering libraries are commonly used as the second stage of browser exploit chains — combined with a JavaScript engine exploit for initial renderer compromise, the Skia overflow enables the attacker to escape Chrome's sandbox and achieve OS-level code execution.

Affected Versions

Product Fixed Version
Chrome (Windows/Mac/Linux) 119.0.6045.199/200
ChromeOS Updated via ChromeOS channel
Android (Chrome) Updated via Play Store

Other products using Skia (Flutter, Electron) may also be affected — check vendor advisories.

Technical Details

CWE-190 (Integer Overflow). The Skia graphics engine contains an integer overflow in its canvas or bitmap handling code. When processing a specially crafted image or canvas operation, an arithmetic calculation produces an integer overflow — the result wraps to a small value when the actual value exceeds the integer's maximum. This causes Skia to under-allocate a memory buffer based on the overflowed (small) size, while writing data based on the actual (large) size — resulting in a heap buffer overflow that corrupts adjacent memory.

In Chrome's security model, this memory corruption occurs within the renderer sandbox. The Scope Changed (S:C) rating reflects the sandbox escape: the vulnerability crosses the security boundary between the renderer process (untrusted, sandboxed) and the host OS. A successful exploit chain typically combines:

  1. A JavaScript/V8 engine exploit for initial renderer code execution
  2. CVE-2023-6345 (Skia integer overflow) for sandbox escape to OS-level code execution

Discovery

Reported to Google by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG). TAG researchers discovering and reporting Chrome zero-days typically means the vulnerability was being actively used against high-value targets — nation-state-backed threat actors (commercial spyware vendors, government hackers) primarily exploit browser sandbox escapes against journalists, activists, dissidents, and government officials.

Exploitation Context

Browser sandbox escapes discovered by Google TAG are characteristic of commercial spyware exploitation chains (Pegasus, Predator, Reign) and nation-state offensive cyber operations targeting high-value individuals. The Skia integer overflow serves as the second stage in a full chain that starts with renderer compromise via JavaScript exploitation. The Scope Changed rating and CVSS 9.6 reflect that exploitation achieves OS-level access — allowing the attacker to install persistent malware, access files, camera, and microphone, and bypass device security controls.

Remediation

  1. Update Chrome to 119.0.6045.199 or later — Chrome typically updates automatically, but verify via Chrome → Help → About Google Chrome.
  2. Restart Chrome after the update to ensure the new version is active (Chrome downloads updates in the background but requires restart to apply them).
  3. Organizations using Chromium-based browsers (Edge, Brave, Opera) should check for their respective updates — Skia is shared and these browsers typically release Chromium security updates promptly.
  4. For ChromeOS devices, ensure the Chrome OS update is applied via Settings → About ChromeOS → Check for updates.
  5. Enable Chrome automatic updates in managed environments via policy to minimize the window between zero-day disclosure and patch deployment.

Key Details

PropertyValue
CVE ID CVE-2023-6345
Vendor / Product Google — Chromium Skia
NVD Published2023-11-29
NVD Last Modified2025-10-24
CVSS 3.1 Score9.6
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-190 find similar ↗
CISA KEV Added2023-11-30
CISA KEV Deadline2023-12-21
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2023-12-21. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2023-11-28Google releases Chrome 119.0.6045.199/200 patching CVE-2023-6345 as a zero-day; same-day CISA KEV addition
2023-11-30CISA adds to Known Exploited Vulnerabilities catalog
2023-12-21CISA BOD 22-01 remediation deadline

References

ResourceType
Chrome Stable Channel Update — November 28, 2023 Vendor Advisory
NVD — CVE-2023-6345 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML