Google this week introduced a Chrome 116 security replace that patches 5 reminiscence security vulnerabilities reported by exterior researchers, together with 4 points rated ‘excessive severity’.
Based mostly on the bug bounty reward Google paid out for these flaws, probably the most extreme of them is CVE-2023-4430, a use-after-free bug in Vulkan, the cross-platform, open normal for 3D graphics.
The vulnerability was reported by Cassidy Kim, who acquired a $10,000 bug bounty reward for the discovering, Google notes in its advisory.
Subsequent in line is one other use-after-free problem, this time within the Loader element. The flaw is tracked as CVE-2023-4429 and was reported by an nameless researcher, who acquired a $3,000 bounty.
The web big says it additionally handed out a $2,000 reward for a high-severity out-of-bounds reminiscence entry vulnerability in CSS.
Nevertheless, per Google’s coverage, no bug bounty reward can be paid for the same problem within the V8 JavaScript engine, which was reported by a Google Mission Zero researcher, nor for a medium-severity out-of-bounds reminiscence entry flaw in Fonts, which was reported by a Microsoft security researcher.
The most recent Chrome iteration is rolling out as model 116.0.5845.110 for Mac and Linux and as variations 116.0.5845.110/.111 for Home windows.
Google makes no point out of any of those vulnerabilities being exploited in assaults.
The replace arrives one week after Chrome 116 was launched within the secure channel, according to Google’s beforehand laid out plans to ship patches for brand spanking new vulnerabilities quicker than earlier than.
Whereas main Chrome iterations will proceed to reach each 4 weeks, secure security updates can be launched weekly, to scale back the window for n-day exploits. Since 2020, the web big has been transport secure updates each two weeks.
