Google on Tuesday introduced the discharge of Chrome 118 to the secure channel with fixes for 20 vulnerabilities, together with 14 reported by exterior researchers.
Probably the most extreme of the externally reported flaws is CVE-2023-5218, a vital bug described as a use-after-free challenge in Web site Isolation, Chrome’s part chargeable for stopping websites from stealing different websites’ knowledge.
Applied in Chrome as a further security measure on prime of the code that enforces the Similar Origin Coverage, Web site Isolation teams pages from totally different domains in several processes that run in their very own sandboxes.
Whereas Google doesn’t present particulars on CVE-2023-5218, use-after-free bugs in Web site Isolation can sometimes enable attackers to carry out a sandbox escape through a crafted HTML web page, which may probably enable them to execute arbitrary code.
The web large notes in its advisory that it has but to find out the bug bounty reward for this vulnerability.
Chrome 118 additionally resolves eight medium-severity flaws reported by exterior researchers, six of that are inappropriate implementation points in Fullscreen, Navigation, DevTools, Intents, Downloads, and Extensions API.
A use-after-free vulnerability in Blink Historical past and a heap buffer overflow bug in PDF, each medium-severity flaws, had been additionally resolved.
The remaining 5 externally reported points patched on this browser launch are low-severity vulnerabilities: 4 inappropriate implementations and a use-after-free.
Google says it has handed out over $30,000 in bug bounty rewards to the reporting researchers. Nonetheless, the ultimate quantity is likely to be a lot greater, as soon as the reward for the critical-severity vulnerability is decided.
The web large makes no point out of any of those vulnerabilities being exploited in malicious assaults.
The most recent Chrome launch is now rolling out as model 118.0.5993.70 for macOS and Linux, and as variations 118.0.5993.70/.71 for Home windows.
