Security Experts:

Connect with us

Hi, what are you looking for?



Chrome 111 Patches 40 Vulnerabilities

Google has released Chrome 111 in the stable channel with patches for 40 vulnerabilities, including eight high-severity bugs

Google this week announced the release of Chrome 111 to the stable channel with patches for 40 vulnerabilities.

A total of 24 of the addressed security defects were reported by external researchers. These include eight high-severity flaws, 11 medium-severity bugs, and five low-severity issues.

Three of the high-severity vulnerabilities reported by external researchers are use-after-free bugs impacting Swiftshader, DevTools, and WebRTC, for which Google handed out bounty rewards of $15,000, $4,000, and $3,000, respectively.

The internet giant’s advisory also mentions two type confusion flaws in V8 and CSS, awarded $10,000 and $7,000, respectively; a stack buffer overflow issue in Crash reporting, for which a $3,000 reward was paid; and two heap buffer overflow bugs in Metrics and UMA, for which rewards have yet to be determined.

Six of the externally reported medium-severity flaws are insufficient policy enforcement bugs impacting browser components such as extensions API, autofill, web payments API, navigation, and intents.

Additionally, Chrome 111 resolves medium-severity inappropriate implementation issues in permission prompts, WebApp installs, and autofill, a heap buffer overflow bug in the Web Audio API, and a use-after-free vulnerability in Core.

The externally reported low-severity defects resolved with this browser update include two insufficient policy enforcement issues in Resource Timing, an inappropriate implementation flaw in intents, a type confusion bug in DevTools, and an inappropriate implementation vulnerability in Internals.

Google says it paid more than $90,000 in bug bounty rewards to the reporting researchers, but the total amount could be much higher, as the company has yet to determine the amounts to be handed out for several vulnerability reports.

The internet giant makes no mention of any of these vulnerabilities being exploited in attacks.

The latest Chrome iteration is currently rolling out as versions 111.0.5563.64/.65 for Windows and as version 111.0.5563.64 for Linux and macOS.

Related: Chrome 110 Patches 15 Vulnerabilities

Related: Security Update for Chrome 109 Patches 6 Vulnerabilities

Related: Chrome 109 Patches 17 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet