Google on Tuesday released a Chrome browser security update to address seven vulnerabilities, including four reported by external researchers.
The most severe of the externally reported flaws is a use-after-free bug in ANGLE, the open source cross-platform graphics engine used in Chrome and other popular browsers.
The issue is tracked as CVE-2024-2883 and Google notes in its advisory that the researcher who discovered the bug has received a $10,000 bug bounty reward.
According to the advisory, the three other defects reported by external researchers are all high-severity vulnerabilities.
The first is CVE-2024-2885, a use-after-free issue in Dawn. The remaining two flaws, tracked as CVE-2024-2886 and CVE-2024-2887, are zero-day vulnerabilities that were exploited and reported last week at the Pwn2Own Vancouver 2024 hacking contest. No additional bounty rewards, aside from those earned at the competition, were handed out for these issues.
CVE-2024-2886, a use-after-free in WebCodecs, was demonstrated by Seunghyun Lee of KAIST Hacking Lab, who exploited two such issues in the browser at the hacking contest and earned a total of $145,000 in rewards.
CVE-2024-2887 is a Type Confusion bug in WebAssembly, exploited on the first day of Pwn2Own by security researcher Manfred Paul, who earned a $42,500 reward for it.
Paul also demonstrated Safari and Firefox vulnerabilities at the hacking contest, earning a total of over $200,000 in rewards and winning the competition. Mozilla was first to release patches for the zero-day demonstrated at Pwn2Own.
The latest Chrome iteration is now rolling out as version 123.0.6312.86/.87 for Windows and macOS, and as version 123.0.6312.86 for Linux.
While Google makes no mention of any of these vulnerabilities being exploited in the wild, users are advised to update their browsers as soon as possible.
Related: Despite Surge in Zero-Days, Exploit Mitigations Are Working
Related: Chrome 123, Firefox 124 Patch Serious Vulnerabilities
Related: Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities
Related: Chrome’s Standard Safe Browsing Now Has Real-Time URL Protection