Connect with us

Hi, what are you looking for?



Chrome 116 Patches 26 Vulnerabilities

Google has released Chrome 116 with patches for 26 vulnerabilities and plans to ship weekly security updates for the popular web browser.

Google on Tuesday announced the release of Chrome 116 to the stable channel with patches for 26 vulnerabilities, including 21 reported by external researchers.

Of the externally reported bugs, eight have a severity rating of ‘high’, with most of them being memory safety issues.

Based on the bug bounty reward paid out, the most important of these is CVE-2023-2312, a use-after-free flaw in the Offline component. The reporting researcher was awarded a $30,000 bounty for the finding, Google’s advisory reveals.

Next in line is CVE-2023-4349, a use-after-free issue in Device Trust Connectors, followed by an inappropriate implementation in Fullscreen (CVE-2023-4350), and a use-after-free bug in Network (CVE-2023-4351), for which Google paid out bounties of $5,000, $3,000, and $2,000, respectively.

The remaining four high-severity vulnerabilities that Chrome 116 resolves include a type confusion flaw in the V8 JavaScript engine, a heap buffer overflow bug in ANGLE, another in Skia, and an out-of-bounds memory access issue in the V8 engine.

These issues were reported by researchers at Google Project Zero and Microsoft Vulnerability Research and, per Google’s policy, no bug bounty reward will be issued for them.

All the remaining externally-reported vulnerabilities addressed in Chrome 116 are medium-severity: six inappropriate implementation bugs, three use-after-free issues, two insufficient policy enforcement flaws, one insufficient validation of untrusted input, and one heap buffer overflow vulnerability.

Advertisement. Scroll to continue reading.

Overall, Google handed out $63,000 in bug bounty rewards to the reporting researchers.

The internet giant makes no mention of any of these vulnerabilities being exploited in attacks.

The latest Chrome iteration is rolling out as version 116.0.5845.96 for Mac and Linux and as versions 116.0.5845.96/.97 for Windows.

Starting with Chrome 116, the internet giant announced last week, patches for the popular browser will be shipped on a weekly basis, to ensure that fixes for newly discovered flaws reach users faster.

Major Chrome iterations will continue to arrive every four weeks, but stable updates, which have been released every two weeks since 2020, will now be more frequent, reducing the patch gap.

“While we can’t fully remove the potential for n-day exploitation, a weekly Chrome security update cadence allows up to ship security fixes 3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult,” Google said.

Related: Google Awards Over $60,000 for V8 Vulnerabilities Patched With Chrome 115 Update

Related: Chrome 115 Patches 20 Vulnerabilities

Related: Chrome and Its Vulnerabilities – Is the Web Browser Safe to Use?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.