Google has released a critical security update for its Chrome browser, addressing six vulnerabilities, four of which were identified by third-party developers. Among the most significant issues are type confusion (CVE-2024-5158) and use-after-free (CVE-2024-5157), which could lead to data leakage and the insertion of malicious software.
The use-after-free flaw, related to memory corruption, potentially allows hackers to install malicious applications. The second serious vulnerability, type confusion, has repeatedly been found in Chromium-based browsers and the Javascript V8 engine. Cyber attackers can exploit the type confusion bug through a specialized malicious HTML page, as previously reported by cybersecurity firm SocRadar.
The buffer overflow error, CVE-2024-5159, was found in Chrome’s Angle graphic engine. Another vulnerability, CVE-2024-5160, was discovered in Dawn, Google’s open standard for the WebGPU API.
Details about these four vulnerabilities emerged within the past five weeks. Fixes are being dispatched to Windows and Mac users via Chrome versions 125.0.6422.76/.77, and to Linux users via build 125.0.6422.76. According to Google, these updates will be available for download in the coming days or weeks. As is the norm, Google has awarded monetary prizes amounting to 26,000 dollars to the three developers who discovered these and other security flaws.
It is worth noting that earlier this month, Google had already released an urgent Chrome update to rectify a critical vulnerability, CVE-2024-4671. This was also a use-after-free error, which could be used to install malicious software on a user’s computer.