Google Patches RCE Vulnerabilities in Chrome
May 17, 2023
Google Patches RCE Vulnerabilities in Chrome
Google has released Chrome version 113.0.5672.126/127 (Stable Channel), patching 12 vulnerabilities. Successful exploitation of some of these vulnerabilities could allow remote code execution (RCE) on the targeted system.
The RCE Vulnerabilities
- CVE-2023-2721, Critical – Use after free vulnerability in Navigation which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2023-2722, High – Use after free vulnerability in Autofill UI which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2023-2723, High – Use after free vulnerability in DevTools allows a remote attacker, who had compromised the renderer process, to potentially exploit heap corruption via a crafted HTML page.
- CVE-2023-2724, High – Type confusion vulnerability in V8 which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2023-2725, High – Use after free vulnerability in Guest View which allows a remote attacker, who convinced a user to install a malicious extension, to potentially exploit heap corruption via a crafted HTML page.
Affected Products
These vulnerabilities affect all unpatched Chrome and Chromium based browsers.
Mitigation
CYREBRO recommends updating browsers to the latest Chrome version, 113.0.5672.126/127 for Windows and 113.0.5672.126 for Mac and Linux.
For the full patched vulnerabilities list, visit Chrome Releases.
References: Chrome Releases.