Software & Apps

Urgent: 2nd Chrome zero-day vulnerability patched in 5 days

Posted on by

On Wednesday, April 19, Google Chrome, Microsoft Edge, Brave, and Vivaldi browsers were updated to address yet another zero-day vulnerability that has been actively exploited in the wild.

Google says that it “is aware that an exploit for CVE-2023-2136 exists in the wild.” This means that patches need to be installed urgently. This particular vulnerability exists in Chromium’s Skia graphics library.

This update comes hot on the heels of CVE-2023-2033, another actively exploited vulnerability, that Google and others patched on Friday.

Chrome, Edge, Brave, and Vivaldi are all based on the Chromium open-source Web browser project. Other Chromium-based browsers may need updates as well.

Opera, another well-known Chromium-based browser, had not yet released a security update as of the time this article was published. The vulnerability presumably impacts Opera as well, so an update may be forthcoming either this week or next week. The company usually releases weekly browser updates on either Wednesday or Thursday. Opera had finally released a patch for last Friday’s CVE-2023-2033 on Tuesday, just a day before the second major vulnerability came to light. Update: Opera finally released a fix for CVE-2023-2136 on Wednesday, April 26—an entire week later.

How to update Chromium-based desktop browsers

Mac users can update their Chrome, Edge, or Brave browsers by clicking on the application menu (e.g. “Chrome” or “Microsoft Edge,” next to the Apple logo menu), and then clicking the first item in that menu (e.g. “About Google Chrome” or “About Microsoft Edge”). The browser will check for updates, and if an update is available, it will prompt you to restart the app to complete the update.

When an Opera update for macOS is released, the process will be the same as the other browsers above.

Vivaldi for macOS has a slightly different update procedure. After clicking on the Vivaldi menu (next to the Apple menu), click on “Check for Updates…” to ensure you have the latest version installed.

Windows users can update their browsers by following the steps provided by each browser maker: Chrome, Edge, Brave, Vivaldi, Opera.

How to update Chromium-based mobile browsers

Android users should check the Google Play Store app to receive the latest versions of browsers and other apps.

Mobile browsers on iOS and iPadOS use Safari’s WebKit engine, rather than Chromium’s Blink and V8 engines. Therefore, this particular vulnerability does not affect the iOS or iPadOS versions of any Web browsers. If you would like to update your iPhone and iPad browsers anyway, you can do so via the App Store. (Here’s how to manually check for and install updates.) Note that Vivaldi is not yet available for iOS.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on Twitter/X, LinkedIn, and Mastodon. View all posts by Joshua Long →