Google on Tuesday announced the release of a Chrome 120 security update that addresses nine vulnerabilities, six of which were reported by external researchers.
Of the externally reported flaws, five have a severity rating of ‘high’, four of which are use-after-free issues, Google notes in its advisory. The company handed out $50,000 in rewards to the reporting researchers.
Based on the bug bounty reward that was paid out, the most severe of the resolved vulnerabilities is a type confusion bug in the V8 JavaScript engine.
The issue is tracked as CVE-2023-6702 and was reported by Codesafe Team of Legends researchers, who received a $16,000 bug bounty for the finding.
The remaining four high-severity flaws are use-after-free bugs in the browser’s Blink, libavif, WebRTC, and FedCM components. The internet giant says it handed out $7,000 rewards for the first three and a $6,000 bug bounty for the fourth.
Google also patched a medium-severity use-after-free vulnerability in CSS, for which it paid out a $7,000 bounty.
Use-after-free vulnerabilities are memory corruption bugs that can be exploited to execute arbitrary code, corrupt data, or cause denial-of-service. In Chrome, these issues can be exploited to escape the sandbox, but only if combined with a flaw in the underlying OS or in a privileged process.
As usual, the internet giant has restricted access to vulnerability details, waiting for most users to apply the available fixes.
The latest Chrome iteration is now rolling out to macOS, Linux, and Windows users as version 120.0.6099.109. Google also announced that the extended channel for macOS has been updated to the same version.
The internet giant makes no mention of any of these security holes being exploited in the wild. Google has patched seven zero-day vulnerabilities in Chrome to date in 2023.
Related: Chrome 120 Patches 10 Vulnerabilities
Related: Chrome 119 Patches 15 Vulnerabilities
Related: Firefox, Chrome Updates Patch High-Severity Vulnerabilities
