Google this week announced the release of Chrome 103 to the stable channel with patches for a total of 14 vulnerabilities, including nine reported by external researchers.
The most severe of these bugs is CVE-2022-2156, which is described as a critical-severity use-after-free issue in Base.
The security flaw was identified by Mark Brand of Google Project Zero. Per Google’s policy, no bug bounty reward will be handed out for this vulnerability.
Leading to arbitrary code execution, corruption of data, or denial of service, use-after-free flaws are triggered when a program frees memory allocation but does not clear the pointer after that.
If combined with other security holes, use-after-free bugs can lead to full system compromise. In Chrome, they can often be exploited to escape the browser’s sandbox.
Chrome 103 resolves three other use-after-free vulnerabilities found by external researchers, impacting components such as Interest groups (CVE-2022-2157, high severity), WebApp Provider (CVE-2022-2161, medium severity), and Cast UI and Toolbar (CVE-2022-2163, low severity).
The latest Chrome update also resolves an externally-reported high-severity type confusion flaw in the V8 JavaScript and WebAssembly engine (CVE-2022-2158), along with four other medium- and low-severity issues.
Google says it has paid out a total of $44,000 in bug bounty rewards to the reporting researchers. The internet giant makes no mention of any of these vulnerabilities being exploited in attacks.
The latest Chrome release is currently rolling out to Windows, Mac, and Linux users as version 103.0.5060.53.
Related: Chrome 102 Update Patches High-Severity Vulnerabilities
Related: Chrome 102 Patches 32 Vulnerabilities
Related: Chrome 101 Update Patches High-Severity Vulnerabilities