Google this week announced that the first stable release of Chrome 110 brings 15 security fixes, including 10 that address vulnerabilities reported by external researchers.
Of the externally reported bugs, three are rated ‘high severity’. These include a type confusion flaw in the V8 engine, an inappropriate implementation issue in full screen mode, and an out-of-bounds read vulnerability in WebRTC.
Tracked as CVE-2023-0696, the first of the security defects is described as a heap corruption that can be exploited remotely via a crafted HTML page. Google paid a $7,000 bug bounty to the reporting researcher.
The second high-severity flaw, CVE-2023-0697, impacts Chrome for Android and could allow a remote attacker to use a crafted HTML page to spoof the contents of the security UI. Google rewarded the reporting researcher $4,000 for this bug.
CVE-2023-0698, the third issue, could be exploited remotely via an HTML page to perform an out-of-bounds memory read. The reporting researcher received a $2,000 bug bounty for the find, Google notes in its advisory.
Chrome 110 also resolves five medium-severity vulnerabilities reported by external researchers, including a use-after-free flaw in GPU, an inappropriate implementation bug in Download, a heap buffer overflow defect in WebUI, and two type confusion issues in Data Transfer and DevTools.
Google says it handed out over $26,000 in bug bounty rewards to the reporting researchers.
The internet giant makes no mention of any of these vulnerabilities being exploited in attacks.
The latest Chrome release is rolling out to users as versions 110.0.5481.77/.78 for Windows, and version 110.0.5481.77 for Mac and Linux.
The iOS and Android versions of the browser have been updated to 110.0.5481.83 and 110.0.5481.63/.64, respectively.
Related: Security Update for Chrome 109 Patches 6 Vulnerabilities
Related: Chrome 109 Patches 17 Vulnerabilities
Related: High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update