Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 131 Update Patches High-Severity Memory Safety Bugs

Google has released a Chrome 131 update to patch multiple high-severity memory safety vulnerabilities, including three affecting the V8 JavaScript engine.

Chrome

Google on Wednesday announced a Chrome browser update that resolves five vulnerabilities, including four high-severity memory safety bugs reported by external researchers.

Tracked as CVE-2024-12692, the first of the externally reported issues is a type confusion flaw in the browser’s V8 JavaScript engine, for which Google paid out $55,000 to the researcher who reported it.

While the internet giant has kept bug details restricted, such a bug bounty amount is typically handed out for defects that could lead to remote code execution (RCE).

Type confusion issues are prevalent in programming languages that lack memory safety mechanisms and the successful exploitation of such flaws in Chrome’s V8 engine could allow threat actors to leak sensitive information or potentially compromise a victim’s system.

The second externally reported vulnerability is another memory safety issue in the V8 engine. Tracked as CVE-2024-12693 and described as an out-of-bounds memory access bug, it earned the reporting researcher a $20,000 bug bounty reward.

The browser update also addresses CVE-2024-12694, a high-severity use-after-free issue in Compositing, and CVE-2024-12695, an out-of-bounds write flaw in the V8 engine. Google has not disclosed the bug bounty amounts to be paid for these two vulnerabilities.

The latest Chrome iteration is now rolling out to users as versions 131.0.6778.204/.205 for Windows and macOS, and as version 131.0.6778.204 for Linux. Google makes no mention of any of these flaws being exploited in the wild.

Over the past several years, Google has taken multiple steps toward making it harder for threat actors to exploit memory safety defects in Chrome, while also investing in eliminating such vulnerabilities from its codebase, including through transitioning to Rust, which is considered a memory safe programming language.

Advertisement. Scroll to continue reading.

The transition to Rust has led to a significant drop in memory safety bugs in Android over the past five years, and similar improvements are expected in Chrome as well, since Google will be transitioning the browser to Rust too.

Related: Google Pays $55,000 for High-Severity Chrome Browser Bug

Related: Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs

Related: Netsec Goggle Customizes Brave Search Results to Show Only Cybersecurity Websites

Related: New Attack Runs Code After Closing Browser Tab

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.