Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities

Google and Mozilla have released patches for 21 and 15 vulnerabilities in Chrome and Firefox, respectively.

Safari, Chrome, Edge, Firefox security

Google and Mozilla on Tuesday announced the release of Chrome 126 and Firefox 127 to the stable channel with patches for multiple high-severity memory safety vulnerabilities.

Chrome 126 includes 21 security fixes, including 18 for defects reported by external researchers. The reporting researchers, Google notes in its advisory, received over $160,000 in bug bounty rewards for their findings.

At $100,115, the highest reward was handed out for CVE-2024-5839, described as a medium-severity inappropriate implementation in Memory Allocator.

As usual, Google does not provide details on the vulnerability, but the bug bounty amount is consistent with the MiraclePtr bypass rewards the internet giant is offering as part of its Vulnerability Reward Program (VRP).

MiraclePtr is the technology that Google announced in 2022 to reduce the exploitability of use-after-free vulnerabilities in Chrome. It was enabled across Linux, Mac, and ChromeOS last year.

Google also paid out a $25,000 reward for CVE-2024-5830, a high-severity type confusion issue in the V8 JavaScript engine.

Of the externally reported flaws patched by Chrome 126, nine are rated ‘high severity’: two use-after-free issues in Dawn, four type confusion issues in V8, inappropriate implementations in Dawn and DevTools, and a heap buffer overflow in Tab Groups.

The browser update also resolves eight other medium-severity bugs reported by external researchers, including five use-after-free, a policy bypass, an inappropriate implementation, and a heap buffer overflow issue.

Advertisement. Scroll to continue reading.

Google has yet to determine the bug bounty amounts to be paid for seven of the vulnerabilities reported externally. The latest Chrome iteration is now rolling out as version 126.0.6478.54 for Linux and as versions 126.0.6478.56/57 for Windows and macOS.

Firefox 127 was released on Tuesday with patches for 15 vulnerabilities, including four high-severity issues, three of which are memory safety bugs.

Tracked as CVE-2024-5687, the first high-severity flaw resulted in an incorrect principal being used when opening new tabs, if a specific sequence of actions was performed. The issue is specific to Firefox for Android.

“The triggering principal is used to calculate many values, including the Referer and Sec- headers, meaning there is the potential for incorrect security checks within the browser in addition to incorrect or misleading information sent to remote websites,” Mozilla explains.

Firefox 127 also addresses a high-severity use-after-free bug in JavaScript object transplant (CVE-2024-5688) and memory safety bugs (CVE-2024-5700 and CVE-2024-5701) that could potentially be exploited to execute arbitrary code.

On Tuesday, Mozilla also announced the release of Firefox ESR 115.12 with patches for eight vulnerabilities, including seven addressed with Firefox 127. The eighth, tracked as CVE-2024-5702, is a high-severity use-after-free issue in networking.

Neither Google nor Mozilla make any mention of any of these flaws being exploited in the wild.

Related: Google Patches Fourth Chrome Zero-Day in Two Weeks

Related: Chrome 124, Firefox 125 Patch High-Severity Vulnerabilities

Related: Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights