Google on Tuesday announced the release of Chrome 129 in the stable channel with patches for nine vulnerabilities, including six reported by external researchers.
The most severe of the externally reported flaws is a type confusion bug in the V8 JavaScript engine, tracked as CVE-2024-8904, the internet giant notes in an advisory.
A type of memory safety bugs, type confusion issues allow attackers to modify variables and trigger unexpected application behavior. Successful exploitation of such defects could lead to crashes, remote code execution, and other types of attacks.
Chrome 129 also addresses three medium-severity vulnerabilities reported by external researchers, namely inappropriate implementation in V8, incorrect security UI in Downloads, and insufficient data validation in Omnibox.
The update also resolves two low-severity inappropriate implementation flaws, impacting Chrome’s Autofill and UI components.
As usual, Google is keeping access to vulnerability details restricted, at least until most users have updated to a patched Chrome release.
The internet giant says it handed out $13,000 in bug bounty payouts to the reporting researchers, with the highest reward going to Ganjiang Zhou of ChaMd5-H1 team for the inappropriate implementation in V8.
However, Google has yet to determine the bug bounty amount to be paid for the high-severity V8 security defect, and the total amount could be much higher.
The latest Chrome iteration is now rolling out as versions 129.0.6668.58/.59 for Windows and macOS, and as version 129.0.6668.58 for Linux. Google makes no mention of any of these vulnerabilities being exploited in the wild.
Related: New Chrome Features Protect Users Against Threats, Provide More Control Over Personal Data
Related: Chrome 128 Update Resolves High-Severity Vulnerabilities
Related: Google Backs Creation of Cybersecurity Clinics With $20 Million Donation
Related: Web Browsers Vulnerable to 14 New Types of XS-Leak Attacks