CVE-2023-6345 - How an Integer Overflow in Skia Led to Chrome Sandbox Escape (Explained Simply)

On November 28, 2023, Google published a high-severity vulnerability affecting Chrome: CVE-2023-6345. This flaw targets the graphics library Skia, which Chrome uses to render images and graphics. An attacker who already controls Chrome’s renderer process (usually through another exploit) could use this bug to potentially break out of Chrome’s security sandbox and access the underlying system. This post breaks down what happened, why it matters, and how attackers could exploit it.

What Is CVE-2023-6345?

CVE-2023-6345 is an integer overflow vulnerability in Skia, Chromium’s graphic engine.

Potential Impact: Sandbox escape—meaning Chrome’s core security boundary can be broken

> Integer overflow bugs are simple but very powerful. If a number gets too big for its intended storage (for example, adding two uint32_t numbers that overflow 32 bits), the excess is discarded, leading to wild values being written or read elsewhere in memory.

Exploit Scenario: What Could an Attacker Do?

For this bug to be useful, an attacker needs control of Chrome’s renderer process—the process that parses, renders, and handles web content. In practice, this usually means the attacker has already found a way to execute some code in the renderer via a different vulnerability (think of it as step 2 in a typical attack chain).

Corrupt memory inside the renderer (buffer overflows or underflows).

3. Escalate privileges or break out of the renderer sandbox, potentially gaining access to the full operating system.

According to Google’s advisory

> Integer overflow in Skia in Google Chrome prior to 119..6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file...
> — Chrome Release Notes

The bug was in how Skia calculated or allocated memory for image processing. Let’s look at a simplified code example that shows the kind of mistake that leads to integer overflows:

// Example: Integer overflow when allocating buffer
uint32_t width = user_supplied_width;
uint32_t height = user_supplied_height;
uint32_t bpp = 4; // bytes per pixel for RGBA

uint32_t row_size = width * bpp;
uint32_t buffer_size = row_size * height;

// If width or height is very large, one of these multiplications can overflow
uint8_t* buffer = (uint8_t*)malloc(buffer_size);

// Attacker could craft width, height so buffer_size wraps around
// leading to small heap allocation, but later code will write as if it's much larger

Here, if width or height are large, buffer_size can “wrap around”—that is, become much smaller than expected. The system allocates a tiny chunk of memory, but later code writes to it as if it’s full size. This allows attackers to overwrite adjacent data, which is a classic way to gain code execution.

Realistic Exploit Steps

1. Find or create a malformed image file (e.g., a specially crafted BMP, PNG, or SVG) with bogus dimensions.

Trigger the integer overflow to corrupt process memory, escape the sandbox.

Note: A full “one-click remote attack” is unlikely, but pairing this with a remote code execution or renderer exploit makes the scenario realistic.

Here’s a simplified JavaScript snippet, showing how an attacker might start the process

// This won't work on its own, but shows the idea
let crazyWidth = x40000000; // Very large
let crazyHeight = x40000000; // Ditto

// Create a Canvas, abuse drawImage()
let canvas = document.createElement('canvas');
canvas.width = crazyWidth;
canvas.height = crazyHeight;
let ctx = canvas.getContext('2d');

// Try to draw an image with overly large dimensions
let img = new Image();
img.src = 'data:image/png;base64,iVBORwKGgoAAAANSUhEUgAA...';
img.onload = function() {
  try {
    ctx.drawImage(img, , , crazyWidth, crazyHeight);
  } catch (e) {
    // The exploit would trigger a crash here in unpatched browser
    console.log('Possible memory corruption!', e);
  }
};

In a vulnerable version of Chrome, this could cause an overflow deep in Skia, leading to a crash or memory corruption.

Chrome Release bulletin:

Stable Channel Update for Desktop

Chromium CVE listing:

CVE-2023-6345 - Chromium Security

Skia GitHub repository:

https://github.com/google/skia

Related patch (example):

Chromium: Fix integer overflows in Skia allocation (sample)

Impact and Why This Matters

Sandbox escapes are among the most prized browser vulnerabilities—they enable attackers to run code outside the “safe” zone, potentially infecting computers, stealing files, or installing ransomware. This is why Chrome and other browsers rush to patch such flaws and often release them “out-of-band.”

Many attacks still depend on user interaction.

- Be aware: Bugs in graphics libraries (like Skia) are common attack vectors due to their complexity.

Conclusion

CVE-2023-6345 shows that even small “math” mistakes in code can have big consequences—letting attackers walk right past security barriers in the world’s most popular browser. Prompt patching and strong sandboxing are vital, but developers must remain vigilant for simple coding errors, especially when dealing with numbers and memory.

If you’re a developer, always use safe integer handling and test edge cases!

*This post is an exclusive, simplified deep-dive into CVE-2023-6345. For the original details and Chrome’s fix, visit the official release notes.*

Timeline

Published on: 11/29/2023 12:15:07 UTC
Last modified on: 12/05/2023 17:15:08 UTC