Google has released seven security updates for Chrome to address critical vulnerabilities that could be exploited by cyber attackers. The updates fix bugs that could have allowed cyber attackers to take control of affected devices. Google said that it may restrict access to bug details and links until a majority of users are updated with a fix.
Google will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.
Google recommends that users of the Google Chrome browser and other browsers built on the Chromium engine promptly install and activate the latest update. This critical security update aims to address an exploit (CVE-2023-6345) that is confirmed to be active in the wild, emphasizing the importance of keeping browsers up to date for enhanced security.
In the advisory, Google has highlighted fixes that were contributed by external researchers.
High CVE-2023-6348: Type Confusion in Spellcheck Reported by Mark Brand of Google Project Zero on 2023-10-10
High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of the 360 Vulnerability Research Institute on 2023-10-21
High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on November 9, 2023
High CVE-2023-6350: Out of bounds memory access in libavif Reported by Fudan University on 2023-11-13
High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13
High CVE-2023-6345: Integer overflow in Skia Reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group on 2023-11-24