June 25, 2024 at 03:54AM
Google announced a new Chrome security update addressing four high-severity memory safety vulnerabilities. 3 defects were reported by ‘wgslfuzz’ & the 4th by Cassidy Kim. wgslfuzz received a $10,000 reward for CVE-2024-6290 & Kim $4,000 for CVE-2024-6291. The update, version 126.0.6478.126 for Linux and 126.0.6478.126/127 for Windows and macOS, includes fixes for Chrome and Chrome for Android, urging users to update.
From the meeting notes, it is evident that Google announced a new Chrome security update addressing four high-severity memory safety vulnerabilities. The vulnerabilities, tracked as CVE-2024-6290 to CVE-2024-6293, are use-after-free bugs affecting the Dawn and Swiftshader components of the browser. Three of the issues were reported by a security researcher named ‘wgslfuzz,’ with one reported by Cassidy Kim.
Additionally, Google rewarded wgslfuzz with $10,000 for CVE-2024-6290 and Cassidy Kim with $4,000 for CVE-2024-6291. The amounts for the remaining two vulnerabilities are yet to be determined. The latest Chrome iteration, version 126.0.6478.126 for Linux and versions 126.0.6478.126/127 for Windows and macOS, is being rolled out to users, along with an update for Chrome for Android to version 126.0.6478.122.
Although there is no indication of these vulnerabilities being exploited in the wild, users are urged to update their browsers promptly. Use-after-free issues can lead to arbitrary code execution, data corruption, or denial-of-service conditions. Google has been actively addressing memory safety flaws in Chrome and moving towards using Rust, a memory safe programming language.
The meeting notes also mention related articles on the subject:
– “Chrome 126 Update Patches Vulnerability Exploited at Hacking Competition”
– “Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities”
– “Microsoft Temporarily Disables SketchUp Support After Discovery of 117 Vulnerabilities”
– “Critical Vulnerabilities Impact Widely Used Printed Circuit Board File Viewer”