Google on Tuesday announced the release of Chrome 98 in the stable channel with a total of 27 security fixes inside, including 19 for vulnerabilities reported by external researchers.
The most severe of these security defects could be exploited to execute arbitrary code with the same privileges as the Chrome browser has on the target system.
Of the 19 flaws, eight carry a severity rating of high, 10 are considered medium severity, and one low risk. More than half of the externally reported vulnerabilities addressed in this release are use-after-free bugs.
The most important of these issues are CVE-2022-0452 and CVE-2022-0453, two use-after-free bugs in safe browsing and reader mode. The reporting researchers were awarded $20,000 rewards each, Google says in its advisory.
[READ: Google Pays Out Over $100,000 for Chrome Vulnerabilities]
The company also reveals that it has paid $12,000 for a heap buffer overflow in ANGLE (CVE-2022-0454), $7,500 for inappropriate implementation in full screen mode (CVE-2022-0455), $7,000 for a use-after-free in web search (CVE-2022-0456), and $5,000 for a type confusion in V8 (CVE-2022-0457).
Two other high-severity use-after-free issues were addressed, one in thumbnail tab strip (CVE-2022-0458) and another in screen capture (CVE-2022-0459).
Six of the medium-severity flaws patched in Chrome 98 are use-after-free bugs (in window dialog, accessibility, extensions, payments, and cast), three are inappropriate implementations (in scroll, extensions, and pointer lock) and one is a policy bypass (in COOP).
The low-severity vulnerability patched with this release is an out of bounds memory access in V8.
Google says it has paid $88,000 in bug bounty rewards to the reporting researchers, but has yet to announce the payouts for six for the resolved issues.
All these vulnerabilities were addressed with the release of Chrome 98.0.4758.80/81/82 for Windows and Chrome 98.0.4758.80 for macOS and Linux.
Related: Chrome 97 Patches 37 Vulnerabilities
Related: Chrome 96 Update Patches Exploited Zero-Day Vulnerability
Related: Google Patches Serious Use-After-Free Vulnerabilities in Chrome