Connect with us

Hi, what are you looking for?



High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome

Mozilla and Google have released stable updates for the Firefox and Chrome browsers to address several memory corruption vulnerabilities.

Mozilla and Google on Tuesday announced the release of stable updates for Firefox and Chrome to address several high-severity vulnerabilities, including memory corruption issues.

Mozilla released Firefox 117 with patches for 13 vulnerabilities, including seven rated ‘high severity’, four of which are described as memory corruption bugs affecting the browser’s IPC CanvasTranslator, IPC ColorPickerShownCallback, IPC FilePickerShownCallback, and JIT UpdateRegExpStatics components.

Reported by the same security researcher (known as sonakkbi) and tracked as CVE-2023-4573, CVE-2023-4574, and CVE-2023-4575 the first three flaws “could have led to a use-after-free causing a potentially exploitable crash,” Mozilla explains in its advisory.

Tracked as CVE-2023-4577, the fourth vulnerability could have led to a potentially exploitable crash as well.

Mozilla also patched a high-severity integer overflow (CVE-2023-4576) in the RecordedSourceSurfaceCreation component of Firefox for Windows, resulting in “a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape”.

Firefox 117 also addresses multiple high-severity memory safety bugs that are collectively tracked as CVE-2023-4584 and CVE-2023-4585 and which also impact Firefox ESR and Thunderbird.

The remaining six issues addressed with this browser release are medium- and low-severity vulnerabilities that could lead to site spoofing, sensitive information leaks, the download of files without a warning of their potential harm, a buffer overflow, or browser context not being cleared when closing a private window.

Advertisement. Scroll to continue reading.

On Tuesday, the browser maker also announced the release of Firefox ESR 115.2 with patches for 14 vulnerabilities, including 12 resolved in Firefox 117. Additionally, Mozilla released Firefox ESR 102.15 with patches for six vulnerabilities.

More information on these vulnerabilities can be found on Mozilla’s security advisories page.

Google on Tuesday released its second weekly update for Chrome, now rolling out as version 116.0.5845.140 for macOS and Linux and as versions 116.0.5845.140/.141 for Windows.

The Chrome update resolves one vulnerability, tracked as CVE-2023-4572 and described as a use-after-free flaw in MediaStream. Such issues may often be exploited to escape Chrome’s sandbox and achieve remote code execution, if combined with other vulnerabilities.

Mozilla and Google make no mention of any of these flaws being exploited in attacks.

Related: Firefox 116 Patches High-Severity Vulnerabilities

Related: First Weekly Chrome Security Update Patches High-Severity Vulnerabilities

Related: Chrome 116 Patches 26 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.