A Chrome 92 update released this week by Google patches 10 vulnerabilities, including several high-severity flaws that earned researchers tens of thousands of dollars in bug bounties.
Researchers Leecraso and Guang Gong of the 360 Alpha Lab team at Chinese cybersecurity firm Qihoo 360 have earned $20,000 for a high-severity vulnerability tracked as CVE-2021-30590. Google described the issue as a heap buffer overflow in Bookmarks.
Leecraso told SecurityWeek that CVE-2021-30590 is a sandbox escape vulnerability that can be “exploited in combination with an extension or a compromised renderer.” An attacker can leverage the flaw to achieve remote code execution outside Chrome’s sandbox.
A high severity rating has also been assigned to two vulnerabilities reported by researcher David Erceg. CVE-2021-30592, described by Google as an out-of-bounds write issue in Tab Groups, earned him $10,000, while CVE-2021-30593, described as an out-of-bounds read bug in Tab Strips, earned him a $5,000 bug bounty.
“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “Since the vulnerability involves an out of bounds write, it could potentially be used to escape the browser’s sandbox. And exploiting it wouldn’t require anything but the user to install the extension.”
“As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out of bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.”
These were not the first extension-related Chrome vulnerabilities reported by Erceg to Google.
Another high-severity vulnerability for which Google paid out $20,000 is CVE-2021-30591, a use-after-free bug in the File System API. This issue was discovered by researcher SorryMybad from Kunlun Lab.
It’s worth noting that Google pays out up to $20,000 for Chrome sandbox escape vulnerabilities described in a high-quality report. Researchers can earn up to $30,000 for such flaws if they also provide a functional exploit.
It’s important that users update Chrome as soon as possible, considering that the web browser appears to be increasingly targeted in malicious attacks. Google this year patched more than half a dozen actively exploited zero-day flaws.
Related: Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched
Related: Chinese Researchers Earn Another $20,000 for Chrome Sandbox Escape
Related: Google Chrome Hit in Another Mysterious Zero-Day Attack

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
