Google has pushed a major Chrome browser update to patch three vulnerabilities, including two high-severity memory safety bugs reported by external researchers.
The first of the externally reported issues, tracked as CVE-2024-12381, is a type confusion flaw in the V8 JavaScript engine that earned the reporting researcher a $55,000 bug bounty reward.
As customary, Google is keeping the technical details on this vulnerability restricted until patches have been rolled out for most users. Based on Google’s updated vulnerability rewards, it is highly likely that the security defect could be exploited to achieve remote code execution (RCE).
Prevalent in programming languages that lack memory safety mechanisms, such as C and C++, type confusion vulnerabilities occur when a resource with an incompatible type is accessed, which leads to logical errors.
Type confusion bugs in Chrome’s V8 JavaScript engine could allow threat actors to execute malicious code and potentially access sensitive information or compromise the user’s system.
Last week, Google patched another type confusion vulnerability in V8 reported by an external researcher, and announced that it handed out an $8,000 bug bounty reward. The issue is tracked as CVE-2024-12053.
The latest Chrome 131 update also resolves CVE-2024-12382, a use-after-free security defect in Chrome’s Translate component. Google has yet to disclose the bug bounty amount to be paid for this bug.
In addition to releasing two Chrome 131 security updates, Google also updated the browser’s Extended Stable channel twice over the past week. The latest version is now rolling out as version 130.0.6723.160 for Windows and macOS.
The latest Chrome iteration is being distributed as versions 131.0.6778.139/.140 for Windows and macOS, and as version 131.0.6778.139 for Linux.
Google makes no mention of any of these vulnerabilities being exploited in the wild, but threat actors have been observed targeting flaws in Chrome’s V8 engine.
Related: Glove Stealer Malware Bypasses Chrome’s App-Bound Encryption
Related: High-Severity Vulnerabilities Patched in Zoom, Chrome
Related: Google Patches Critical Chrome Vulnerability Reported by Apple
Related: North Korean Hackers Exploited Chrome Zero-Day for Cryptocurrency Theft
