Google has rolled out six Chrome security fixes including one emergency patch for a bug for which exploit code is already out there. You're encouraged to thus grab the latest updates for the browser.

This latest zero-day flaw, tracked as CVE-2023-6345, is a high-severity integer overflow vulnerability in Skia, a popular graphics library used by Chrome. To exploit this bug, an attacker would need to have already compromised the renderer process, at which point they may be able to perform a sandbox escape via a malicious file. 

"Google is aware that an exploit for CVE-2023-6345 exists in the wild," according to the Chocolate Factory.

Google doesn't provide a whole lot of detail about the bug, nor any details about who may be exploiting it and to what nefarious end.

It does note, however, that Benoît Sevens and Clément Lecigne, both members of Google's Threat Analysis Group (TAG), found and reported the vulnerability, which indicates it could have been abused to deploy spyware on victims' machines - TAG tracks more than 30 commercial spyware vendors selling exploits and surveillance tools.

In late 2021, Citizen Lab found an integer overflow bug in Apple iMessage being abused to drop Pegasus spyware on a Saudi Arabian activist's phone.

We'd highly suggest updating your Chrome browser as soon as possible to avoid any unwanted flying horses for the holidays.

In addition to the CVE with exploit code in the wild, the latest Chrome release addresses five other high-severity flaws. These include a type confusion vulnerability in spellcheck tracked as CVE-2023-6348 and an out-of-bounds memory access bug in libavif tracked as CVE-2023-6350.

Additionally, Google pushed patches for three use-after-free flaws: one in Mojo tracked as CVE-2023-6347, and one in WebAUdio tracked as CVE-2023-6346, and one in libavif tracked as CVE-2023-6351.

Google isn't aware of any in-the-wild exploits for these issues. ®

https://www.theregister.com//2023/11/30/chrome_zeroday/