Google on Tuesday announced the release of Chrome 116 to the stable channel with patches for 26 vulnerabilities, including 21 reported by external researchers.
Of the externally reported bugs, eight have a severity rating of ‘high’, with most of them being memory safety issues.
Based on the bug bounty reward paid out, the most important of these is CVE-2023-2312, a use-after-free flaw in the Offline component. The reporting researcher was awarded a $30,000 bounty for the finding, Google’s advisory reveals.
Next in line is CVE-2023-4349, a use-after-free issue in Device Trust Connectors, followed by an inappropriate implementation in Fullscreen (CVE-2023-4350), and a use-after-free bug in Network (CVE-2023-4351), for which Google paid out bounties of $5,000, $3,000, and $2,000, respectively.
The remaining four high-severity vulnerabilities that Chrome 116 resolves include a type confusion flaw in the V8 JavaScript engine, a heap buffer overflow bug in ANGLE, another in Skia, and an out-of-bounds memory access issue in the V8 engine.
These issues were reported by researchers at Google Project Zero and Microsoft Vulnerability Research and, per Google’s policy, no bug bounty reward will be issued for them.
All the remaining externally-reported vulnerabilities addressed in Chrome 116 are medium-severity: six inappropriate implementation bugs, three use-after-free issues, two insufficient policy enforcement flaws, one insufficient validation of untrusted input, and one heap buffer overflow vulnerability.
Overall, Google handed out $63,000 in bug bounty rewards to the reporting researchers.
The internet giant makes no mention of any of these vulnerabilities being exploited in attacks.
The latest Chrome iteration is rolling out as version 116.0.5845.96 for Mac and Linux and as versions 116.0.5845.96/.97 for Windows.
Starting with Chrome 116, the internet giant announced last week, patches for the popular browser will be shipped on a weekly basis, to ensure that fixes for newly discovered flaws reach users faster.
Major Chrome iterations will continue to arrive every four weeks, but stable updates, which have been released every two weeks since 2020, will now be more frequent, reducing the patch gap.
“While we can’t fully remove the potential for n-day exploitation, a weekly Chrome security update cadence allows up to ship security fixes 3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult,” Google said.
Related: Google Awards Over $60,000 for V8 Vulnerabilities Patched With Chrome 115 Update
Related: Chrome 115 Patches 20 Vulnerabilities
Related: Chrome and Its Vulnerabilities – Is the Web Browser Safe to Use?
https://www.securityweek.com/chrome-116-patches-26-vulnerabilities/