Connect with us

Hi, what are you looking for?



Google Patches Several Chrome Flaws That Can Be Exploited via Malicious Extensions

A Chrome 92 update released this week by Google patches 10 vulnerabilities, including several high-severity flaws that earned researchers tens of thousands of dollars in bug bounties.

A Chrome 92 update released this week by Google patches 10 vulnerabilities, including several high-severity flaws that earned researchers tens of thousands of dollars in bug bounties.

Researchers Leecraso and Guang Gong of the 360 Alpha Lab team at Chinese cybersecurity firm Qihoo 360 have earned $20,000 for a high-severity vulnerability tracked as CVE-2021-30590. Google described the issue as a heap buffer overflow in Bookmarks.

Leecraso told SecurityWeek that CVE-2021-30590 is a sandbox escape vulnerability that can be “exploited in combination with an extension or a compromised renderer.” An attacker can leverage the flaw to achieve remote code execution outside Chrome’s sandbox.

A high severity rating has also been assigned to two vulnerabilities reported by researcher David Erceg. CVE-2021-30592, described by Google as an out-of-bounds write issue in Tab Groups, earned him $10,000, while CVE-2021-30593, described as an out-of-bounds read bug in Tab Strips, earned him a $5,000 bug bounty.

“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “Since the vulnerability involves an out of bounds write, it could potentially be used to escape the browser’s sandbox. And exploiting it wouldn’t require anything but the user to install the extension.”

“As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out of bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.”

These were not the first extension-related Chrome vulnerabilities reported by Erceg to Google.

Another high-severity vulnerability for which Google paid out $20,000 is CVE-2021-30591, a use-after-free bug in the File System API. This issue was discovered by researcher SorryMybad from Kunlun Lab.

Advertisement. Scroll to continue reading.

It’s worth noting that Google pays out up to $20,000 for Chrome sandbox escape vulnerabilities described in a high-quality report. Researchers can earn up to $30,000 for such flaws if they also provide a functional exploit.

It’s important that users update Chrome as soon as possible, considering that the web browser appears to be increasingly targeted in malicious attacks. Google this year patched more than half a dozen actively exploited zero-day flaws.

Related: Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched

Related: Chinese Researchers Earn Another $20,000 for Chrome Sandbox Escape

Related: Google Chrome Hit in Another Mysterious Zero-Day Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.