A Chrome 92 update released this week by Google patches 10 vulnerabilities, including several high-severity flaws that earned researchers tens of thousands of dollars in bug bounties.
Researchers Leecraso and Guang Gong of the 360 Alpha Lab team at Chinese cybersecurity firm Qihoo 360 have earned $20,000 for a high-severity vulnerability tracked as CVE-2021-30590. Google described the issue as a heap buffer overflow in Bookmarks.
Leecraso told SecurityWeek that CVE-2021-30590 is a sandbox escape vulnerability that can be “exploited in combination with an extension or a compromised renderer.” An attacker can leverage the flaw to achieve remote code execution outside Chrome’s sandbox.
A high severity rating has also been assigned to two vulnerabilities reported by researcher David Erceg. CVE-2021-30592, described by Google as an out-of-bounds write issue in Tab Groups, earned him $10,000, while CVE-2021-30593, described as an out-of-bounds read bug in Tab Strips, earned him a $5,000 bug bounty.
“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “Since the vulnerability involves an out of bounds write, it could potentially be used to escape the browser’s sandbox. And exploiting it wouldn’t require anything but the user to install the extension.”
“As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out of bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.”
These were not the first extension-related Chrome vulnerabilities reported by Erceg to Google.
Another high-severity vulnerability for which Google paid out $20,000 is CVE-2021-30591, a use-after-free bug in the File System API. This issue was discovered by researcher SorryMybad from Kunlun Lab.
It’s worth noting that Google pays out up to $20,000 for Chrome sandbox escape vulnerabilities described in a high-quality report. Researchers can earn up to $30,000 for such flaws if they also provide a functional exploit.
It’s important that users update Chrome as soon as possible, considering that the web browser appears to be increasingly targeted in malicious attacks. Google this year patched more than half a dozen actively exploited zero-day flaws.
Related: Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched
Related: Chinese Researchers Earn Another $20,000 for Chrome Sandbox Escape
Related: Google Chrome Hit in Another Mysterious Zero-Day Attack

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
