Chrome 113 Security Update Patches Critical Vulnerability

Google this week announced the release of a Chrome 113 security update that resolves a total of 12 vulnerabilities, including one rated ‘critical’. Six of the flaws were reported by external researchers.

Tracked as CVE-2023-2721 and reported by Qihoo 360 researcher Guang Gong, the issue is described as a use-after-free flaw in Navigation.

A remote attacker could craft an HTML page to trigger a heap corruption when a user accesses the page. The attacker would have to convince the user to visit the page.

Use-after-free vulnerabilities are memory corruption bugs that occur when the pointer is not cleared after memory allocation is freed, which could lead to arbitrary code execution, denial-of-service, or data corruption.

In Chrome, use-after-free issues can be exploited to escape the browser sandbox, which also requires for the attacker to target a vulnerability in the underlying system or in Chrome’s browser process.

The latest Chrome update addressed three other externally reported use-after-free flaws, all rated ‘high’ severity. The vulnerabilities impact the browser’s Autofill UI, DevTools, and Guest View components.

The new browser release also resolves a high-severity type confusion bug in the V8 JavaScript engine and a medium-severity inappropriate implementation issue in WebApp Installs.

Google says it paid $11,500 in bug bounties to the reporting researchers. However, the company has yet to determine the amounts to be paid for two of the vulnerabilities, including the critical-severity one, and the final amount could be higher.

The latest Chrome iteration is now rolling out as version 113.0.5672.126 for macOS and Linux, and as versions 113.0.5672.126/.127 for Windows.

Related: Chrome 113 Released With 15 Security Patches

Related: Google Patches Second Chrome Zero-Day Vulnerability of 2023

Related: Google Improves Chrome Protections Against Use-After-Free Bug Exploitation