Connect with us

Hi, what are you looking for?



Chrome 120 Update Patches High-Severity Vulnerabilities

A Chrome 120 security update resolves nine vulnerabilities, including five high-severity flaws reported externally.

Google on Tuesday announced the release of a Chrome 120 security update that addresses nine vulnerabilities, six of which were reported by external researchers.

Of the externally reported flaws, five have a severity rating of ‘high’, four of which are use-after-free issues, Google notes in its advisory. The company handed out $50,000 in rewards to the reporting researchers.

Based on the bug bounty reward that was paid out, the most severe of the resolved vulnerabilities is a type confusion bug in the V8 JavaScript engine.

The issue is tracked as CVE-2023-6702 and was reported by Codesafe Team of Legends researchers, who received a $16,000 bug bounty for the finding.

The remaining four high-severity flaws are use-after-free bugs in the browser’s Blink, libavif, WebRTC, and FedCM components. The internet giant says it handed out $7,000 rewards for the first three and a $6,000 bug bounty for the fourth.

Google also patched a medium-severity use-after-free vulnerability in CSS, for which it paid out a $7,000 bounty.

Use-after-free vulnerabilities are memory corruption bugs that can be exploited to execute arbitrary code, corrupt data, or cause denial-of-service. In Chrome, these issues can be exploited to escape the sandbox, but only if combined with a flaw in the underlying OS or in a privileged process.

As usual, the internet giant has restricted access to vulnerability details, waiting for most users to apply the available fixes.

Advertisement. Scroll to continue reading.

The latest Chrome iteration is now rolling out to macOS, Linux, and Windows users as version 120.0.6099.109. Google also announced that the extended channel for macOS has been updated to the same version.

The internet giant makes no mention of any of these security holes being exploited in the wild. Google has patched seven zero-day vulnerabilities in Chrome to date in 2023.

Related: Chrome 120 Patches 10 Vulnerabilities

Related: Chrome 119 Patches 15 Vulnerabilities

Related: Firefox, Chrome Updates Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.