Security Experts:

Connect with us

Hi, what are you looking for?



Google Patches Several Chrome Flaws That Can Be Exploited via Malicious Extensions

A Chrome 92 update released this week by Google patches 10 vulnerabilities, including several high-severity flaws that earned researchers tens of thousands of dollars in bug bounties.

A Chrome 92 update released this week by Google patches 10 vulnerabilities, including several high-severity flaws that earned researchers tens of thousands of dollars in bug bounties.

Researchers Leecraso and Guang Gong of the 360 Alpha Lab team at Chinese cybersecurity firm Qihoo 360 have earned $20,000 for a high-severity vulnerability tracked as CVE-2021-30590. Google described the issue as a heap buffer overflow in Bookmarks.

Leecraso told SecurityWeek that CVE-2021-30590 is a sandbox escape vulnerability that can be “exploited in combination with an extension or a compromised renderer.” An attacker can leverage the flaw to achieve remote code execution outside Chrome’s sandbox.

A high severity rating has also been assigned to two vulnerabilities reported by researcher David Erceg. CVE-2021-30592, described by Google as an out-of-bounds write issue in Tab Groups, earned him $10,000, while CVE-2021-30593, described as an out-of-bounds read bug in Tab Strips, earned him a $5,000 bug bounty.

“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “Since the vulnerability involves an out of bounds write, it could potentially be used to escape the browser’s sandbox. And exploiting it wouldn’t require anything but the user to install the extension.”

“As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out of bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.”

These were not the first extension-related Chrome vulnerabilities reported by Erceg to Google.

Another high-severity vulnerability for which Google paid out $20,000 is CVE-2021-30591, a use-after-free bug in the File System API. This issue was discovered by researcher SorryMybad from Kunlun Lab.

It’s worth noting that Google pays out up to $20,000 for Chrome sandbox escape vulnerabilities described in a high-quality report. Researchers can earn up to $30,000 for such flaws if they also provide a functional exploit.

It’s important that users update Chrome as soon as possible, considering that the web browser appears to be increasingly targeted in malicious attacks. Google this year patched more than half a dozen actively exploited zero-day flaws.

Related: Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched

Related: Chinese Researchers Earn Another $20,000 for Chrome Sandbox Escape

Related: Google Chrome Hit in Another Mysterious Zero-Day Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.