Hackers have been spotted abusing another serious flaw in Chrome, days after Google patched a separate “zero day” vulnerability in the browser that was under active exploitation. 

On Tuesday, Google issued a security bulletin(Opens in a new window) that mentioned the newly discovered Chrome vulnerability, CVE-2023-2136, which has been given a “high severity” rating.

“Google is aware that an exploit for CVE-2023-2136 exists in the wild,” the company warned. 

There are not a lot of details about the vulnerability. For now, Google describes it as an “integer overflow” involving the open-source Skia graphics engine, which is used by Chrome. 

The official CVE report adds(Opens in a new window) that exploiting the flaw “allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.” This could pave a way for the hacker to access additional computing processes to run untrusted malicious code on a computer, potentially spreading an infection. 

Despite the lack of details, it’s possible the flaw was exploited in tandem with another zero-day vulnerability Google patched last Friday, called CVE-2023-2033, which involved a bug in the V8 JavaScript engine for the browser. 

The company uncovered both flaws through Clément Lecigne, a security researcher on Google’s Threat Analysis Group team, which is devoted to tracking the most fearsome hacking groups and uncovering zero-day vulnerabilities. Interestingly, Lecigne uncovered CVE-2023-2033 on April 11 and then CVE-2023-2136 on April 12. 

Recommended by Our Editors

Vendor Bricks Smart Garage Door Controller to Fix Major Flaw

iPhone’s Lockdown Mode Stops Spyware From Notorious NSO Group

What Does Malware Look Like? Take a Tour of Real-World Samples

Both flaws can also be exploited through specially created HTML pages. Unrelated or not, this suggests the two vulnerabilities were used in attacks that involved delivering malicious HTML pages to the victims, possibly through phishing messages.

Fortunately, Google has been moving quickly to patch both flaws upon discovery. The company already prepared a patch for CVE-2023-2136 that should be rolling out to users now. The fix will arrive as Chrome version 112.0.5615.137.  

Tweet(Opens in a new window)

A button to update Chrome should appear in the upper-right corner of the browser when the new version becomes available. Otherwise, go to the “About Chrome” tab to automatically receive the update or visit Google’s support page(Opens in a new window) on how to download the patches.