PatchSiren cyber security CVE debrief
CVE-2023-6345 Google CVE debrief
CVE-2023-6345 is a Google Chromium Skia integer overflow vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2023-11-30. Because it is on the KEV list, defenders should treat it as a live risk signal and validate patch status or mitigations promptly. CISA’s entry directs organizations to apply vendor mitigations or discontinue use of the product if mitigations are not available, and it notes that this issue may affect products that include the open-source component, so vendors should be checked individually for patching status.
- Vendor
- Product
- Chromium Skia
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2023-11-30
- Original CVE updated
- 2023-11-30
- Advisory published
- 2023-11-30
- Advisory updated
- 2023-11-30
Who should care
Security teams responsible for Google Chromium/Skia-based products, browser or application teams that embed Chromium components, and asset owners who rely on vendor-delivered builds that may include Skia. If you operate a product that depends on this component, prioritize vendor advisories and patch validation.
Technical summary
The publicly supplied record identifies the issue as an integer overflow in Google Skia within Chromium Skia. The available source material does not provide exploit mechanics, affected versions, or remediation specifics beyond CISA’s guidance to follow vendor mitigations. The key operational fact is that CISA lists it as known exploited, which elevates response urgency regardless of the limited detail in the public record.
Defensive priority
High. CISA has classified CVE-2023-6345 as known exploited and assigned a remediation due date of 2023-12-21 in the KEV catalog.
Recommended defensive actions
- Check the official vendor advisory and confirm whether your Chromium/Skia-based products are patched.
- Apply vendor-provided mitigations as soon as they are available.
- If mitigations are unavailable, remove or disable affected product usage where feasible, per CISA guidance.
- Inventory downstream products that embed Chromium or Skia and verify their patch status separately.
- Track exposure until the KEV due date has passed and remediation is confirmed across all affected systems.
Evidence notes
Evidence is limited to the supplied CISA KEV metadata and official reference links. CISA’s record names the vulnerability “Google Skia Integer Overflow Vulnerability,” identifies vendor/project as Google Chromium Skia, and records dateAdded 2023-11-30 with dueDate 2023-12-21. The KEV notes also state: “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable,” and advise checking with specific vendors for patching status because the issue affects a common open-source component or third-party library. The supplied official references include the CVE record, NVD entry, CISA KEV catalog, and the source-item URL.
Official resources
-
CVE-2023-6345 CVE record
CVE.org
-
CVE-2023-6345 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
-
Source item URL
cisa_kev
Public debrief based only on supplied CISA KEV metadata and official reference links; no exploit instructions or unsupported details included.