CVE CyberSecurity Database News

CVE-2023-2136 - Integer Overflow in Skia (Chrome <112..5615.137) – Sandbox Escape Exploit Explained

Poster -

In April 2023, Google addressed a high-severity security bug in Chrome, tracked as CVE-2023-2136. This vulnerability affected the Skia graphics library, which Chrome uses for rendering. The flaw is dangerous, as it allowed attackers—once they gained renderer process code execution—to break Chrome’s sandbox protections and potentially take over your computer, all by tricking you into loading a malicious web page.

In this post, we will walk through what happened, why it mattered, how attackers could have exploited this, and look at some code details and references. We’ll keep things as clear and simple as possible.

What is Skia?

Skia is an open-source graphics library. Chromium (the engine behind Chrome) uses Skia to handle things like drawing shapes, text, and images. It’s in the very heart of web page rendering.

About the Vulnerability

- CVE: CVE-2023-2136
- CWE: CWE-190: Integer Overflow or Wraparound

Technical Description

The flaw is an integer overflow in Skia’s handling of certain graphics operations. If one of Skia’s drawing functions is fed large-enough values—let’s say, for an image size—two numbers might be multiplied, but the result doesn’t fit in the variable’s type (for instance, it “wraps around” to a small number if you multiply two big ones together, because of the way computers handle numbers).

If an attacker can control these numbers via a specially crafted HTML page (using  or SVG tags, for example), code inside the Chrome "renderer" process might behave unexpectedly. This could let an attacker read or write memory outside the intended bounds, making it possible to break out of the secure sandbox and potentially run code directly on your system.

Proof-of-Concept: Code Snippet

Below is a simplified version of what an attacker might aim for (NOTE: this is a demonstration, not a working exploit). The idea is to provoke Skia to process extremely large dimensions.

// PoC: Manipulating canvas size to trigger the overflow in Skia
let canvas = document.createElement('canvas');

// Using large values to trigger multiplication overflow in allocation
canvas.width = 65536;
canvas.height = 65536;

let ctx = canvas.getContext('2d');
try {
    // Try to draw something massive
    let imgData = ctx.createImageData(canvas.width, canvas.height);
    ctx.putImageData(imgData, , );
} catch (e) {
    console.log('Caught error:', e);
}

// Malicious pages might mash these numbers/pixels to smuggle data/control out of bounds

In actual exploits, the dimensions/values are fuzzed (randomized and tested in bulk) to find numbers that Skia mishandles, causing it to write outside buffer boundaries.

1. From Overflow to Sandbox Escape

1. Compromise Renderer Process: Attacker gets their code running in Chrome's renderer (e.g., via another bug, or exploiting this one to get limited code execution).
2. Trigger Skia Overflow: Attacker’s code creates a crafted HTML, JavaScript, or SVG that passes manipulated dimensions or data into Skia’s drawing functions. The overflow lets the attacker corrupt memory or control where the renderer writes/flips data.
3. Abuse Corruption: Memory corruption makes it possible to control further code flow, defeat sandbox, leak secrets, or get outside renderer sandbox boundary—possibly running code at a much higher privilege on your system.

2. Occurrence In-The-Wild

Google flagged this as exploited in-the-wild (reference). That means attackers were already using the bug before the patch appeared.

Timeline and Patch

- April 18, 2023: Patch released in Chrome v112..5615.137

Vulnerable Versions: All builds *before* 112..5615.137 on Windows, Mac, Linux

Patch Details:  
Skia code was updated to perform safe checks on size calculations, preventing integer overflows.

Enable Automatic Updates: Chrome handles its own upgrades. Don’t disable updates.

- Be Careful With Unknown Sites: Even patched, other bugs might lurk. Always use up-to-date browsers, and consider security tools or extensions.

References

1. NVD Entry for CVE-2023-2136
2. Chromium Security Release Notes
3. Skia Graphics Library
4. CWE-190: Integer Overflow

Conclusion

CVE-2023-2136 shows how a tiny math mistake—a single unchecked multiplication—can turn into a system-level threat in a widely used browser like Chrome. With attackers actively exploiting the bug at the time, it’s a strong reminder to keep your software up to date, and how even “simple” programming flaws can become dangerous in the web’s fast-moving world.

Timeline

Published on: 04/19/2023 04:15:00 UTC
Last modified on: 04/27/2023 02:15:00 UTC