Google on Wednesday announced the first Chrome security update of 2024, which resolves six vulnerabilities, including four reported by external researchers.
All the four externally reported security defects are high-severity memory safety flaws, but bug bounty rewards were handed out only for three of them, Google notes in its advisory.
The first two bugs, tracked as CVE-2024-0222 and CVE-2024-0223, are use-after-free and heap buffer overflow vulnerabilities in the graphics rendering engine ANGLE.
Both issues were reported by Qrious Secure researchers, who received $15,000 bug bounty rewards for each of them.
The third bug, CVE-2024-0224, is a use-after-free defect in Chrome’s WebAudio component. Google says it handed out a $10,000 bug bounty for this flaw to the Ant Group Light-Year Security Lab researcher who reported it.
The latest Chrome update also resolves a use-after-free vulnerability in WebGPU. The bug is tracked as CVE-2024-0225 and Google has yet to disclose the bug bounty amount to be paid to the reporting researcher.
Use-after-free issues occur when the pointer is not cleared when freeing memory allocation and typically lead to arbitrary code execution, data corruption, or denial-of-service.
In Chrome, use-after-free bugs can be exploited to escape the browser’s sandbox, if the attacker targets a flaw in the underlying operating system or in a privileged process.
Google has been long working on improving memory safety in Chrome, and also hardened the browser against the exploitation of use-after-free vulnerabilities.
Despite these efforts, dozens of use-after-free issues were documented in the browser last year, most of them rated ‘high severity’.
The latest Chrome iteration is now rolling out as version 120.0.6099.199 for macOS and Linux and as versions 120.0.6099.199/200 for Windows. Google updated Chrome’s extended stable channel to version 120.0.6099.199 for macOS and to version 120.0.6099.200 for Windows.
The internet giant makes no mention of any of the vulnerabilities patched with this Chrome update being exploited in the wild.