Google is deploying updates for Chrome on desktop platforms to address six newly identified security vulnerabilities, four of which were discovered by external researchers and rated as high-severity.
Among these vulnerabilities is CVE-2024-5157, a “use-after-free” issue, and CVE-2024-5158, a “type confusion” flaw. Additionally, two “heap buffer overflow” issues have been identified. Use-after-free vulnerabilities are a form of memory corruption that can be exploited if not patched. Type confusion bugs, often found in Chromium-based browsers, exist in the V8 JavaScript engine and can be triggered by malicious HTML pages, as highlighted by cybersecurity firm SocRadar.
The two heap buffer overflow issues include CVE-2024-5159, found in Chrome’s graphics layer engine Angle, and CVE-2024-5160, located in Dawn, Google’s WebGPU standard.
These four critical vulnerabilities were reported within the past five weeks. Google has already rewarded three of the external researchers with a total of $26,000 for their discoveries.
The security updates will be available in Chrome version 125.0.6422.76/.77 for Windows and Mac users, and version 125.0.6422.76 for Linux users. Google indicates that these updates will be rolled out in the coming days or weeks. SecurityWeek initially reported on Chrome’s latest update.
Earlier this month, Google addressed another high-severity “use-after-free” bug, CVE-2024-4671, with an emergency fix. This vulnerability could have been exploited to install malware, and Google confirmed that an exploit for it was already active in the wild.
These updates underscore the importance of keeping software up-to-date to protect against potential security threats.