This week, Google released Chrome 112 in the stable channel, which contains patches for 16 reported vulnerabilities. Out of the reported flaws, 14 were submitted by external researchers. Of these, two are ‘high severity’ issues, nine have been rated ‘medium severity’, and the remaining three are ‘low severity’.
The most severe of these is a heap buffer overflow vulnerability in Visuals, tracked as CVE-2023-1810. This vulnerability earned the reporting researcher $5,000 in bug bounty reward. Next in line is a use-after-free flaw in Frames, tracked as CVE-2023-1811 and also worth $3,000 in bug bounty reward. This issue could lead to a crash or malicious code execution.
The Chrome 112 release also includes fixes for medium-severity vulnerabilities such as out-of-bounds memory access, inappropriate implementation, insufficient validation of untrusted input, use-after-free, incorrect security UI, insufficient policy enforcement, out-of-bounds read, and heap buffer overflow issues, in various components such as DOM Bindings, Extensions, Safe Browsing, Networking APIs, Picture In Picture, Intents, Vulkan, Accessibility, and Browser History. The low-severity vulnerabilities impact WebShare, Navigation, and FedCM components.
Google has paid out roughly $26,000 in bug bounty rewards for the reported vulnerabilities, though the final amount could be higher as the company has yet to determine the amount for two of the bugs. Google has not mentioned any of these vulnerabilities being exploited in attacks.
The latest iteration of Chrome is now rolling out as version 112.0.5615.49/50 for Windows and as version 112.0.5615.49 for Linux and macOS.
Key Points:
• Google released Chrome 112 in the stable channel, with patches for 16 reported vulnerabilities.
• Of these, two are ‘high severity’ issues and nine have been rated ‘medium severity’, while the remaining three are ‘low severity’.
• The Chrome 112 release includes fixes for medium-severity vulnerabilities such as out-of-bounds memory access, inappropriate implementation, insufficient validation of untrusted input, use-after-free, incorrect security UI, insufficient policy enforcement, out-of-bounds read, and heap buffer overflow issues.
• Google has paid out roughly $26,000 in bug bounty rewards for the reported vulnerabilities, though the final amount could be higher.
• The latest iteration of Chrome is now rolling out as version 112.0.5615.49/50 for Windows and as version 112.0.5615.49 for Linux and macOS.