Google on Tuesday announced a Chrome 125 update that resolves six vulnerabilities, including four high-severity bugs reported by external researchers.
The first issue, tracked as CVE-2024-5157, is a use-after-free flaw in Scheduling that was reported by Looben Yang a month ago. The researcher received an $11,000 bug bounty reward for the discovery.
Google has been battling use-after-free issues in Chrome for several years, as these types of bugs can lead to sandbox escape if an attacker can target a vulnerability in the underlying operating system or in a privileged Chrome process.
On Tuesday, Google also patched CVE-2024-5158, a type confusion bug in the V8 JavaScript engine, announcing that it has paid out a $10,000 bug bounty reward to Zhenghang Xiao, who reported the security defect in early May.
The browser update also resolves two heap buffer overflow issues, one impacting the ANGLE graphics layer engine (CVE-2024-5159) and another found in Dawn, Chrome’s implementation of the WebGPU standard (CVE-2024-5160).
The internet giant says it has paid out a $5,000 bug bounty reward for the ANGLE flaw but has yet to disclose the amount awarded for the Dawn issue.
The latest Chrome release is now rolling out as version 125.0.6422.76 for Linux and as versions 125.0.6422.76/.77 for Windows and macOS.
Google makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their browsers as soon as possible.
Promoted to the stable channel on May 15, Chrome 125 was released with patches for the seventh zero-day documented in the browser this year and the third Chrome zero-day to be resolved within a week.
Related: Google Patches Second Chrome Zero-Day in One Week
