June 12, 2024 at 06:18AM
Google and Mozilla released Chrome 126 and Firefox 127, respectively, with patches for high-severity memory safety vulnerabilities. Google awarded over $160,000 in bug bounty rewards to external researchers. The highest reward of $100,115 was for CVE-2024-5839, related to a medium-severity inappropriate Memory Allocator implementation. Firefox’s update addresses 15 vulnerabilities, including high-severity memory safety bugs.
From the meeting notes, I have summarized the following key points:
1. Google and Mozilla announced the release of Chrome 126 and Firefox 127 to the stable channel, with numerous security patches for high-severity vulnerabilities.
2. Chrome 126 includes 21 security fixes, with 18 reported by external researchers who received over $160,000 in bug bounty rewards.
3. The highest bug bounty reward amount of $100,115 was paid for CVE-2024-5839, described as a medium-severity inappropriate implementation in Memory Allocator.
4. Google also paid out a $25,000 reward for CVE-2024-5830, a high-severity type confusion issue in the V8 JavaScript engine.
5. Chrome 126 resolves nine high-severity vulnerabilities, including use-after-free issues in Dawn, type confusion issues in V8, inappropriate implementations in Dawn and DevTools, and a heap buffer overflow in Tab Groups.
6. Mozilla released Firefox 127 with patches for 15 vulnerabilities, including four high-severity issues, three of which are memory safety bugs.
7. Firefox ESR 115.12 was also released with patches for eight vulnerabilities, including a high-severity use-after-free issue in networking.
8. Neither Google nor Mozilla mentioned any of these flaws being exploited in the wild.
Please let me know if you need any additional information or if there are specific action items to be derived from these meeting notes.