Google released an upgraded Chrome version for Windows, Mac, and Linux this week, which addresses four high-severity vulnerabilities in the browser.
The most serious of these security flaws, designated CVE-2021-37977, might be used to execute arbitrary code on a target system.
An unnamed researcher discovered the issue, which was classified as a use-after-free fault in Garbage Collection, last month. Google claims to have paid a $10,000 reward for the discovery.
Chrome version 94.0.4606.81 is now available for desktop users, and it also fixes two heap buffer overflow vulnerabilities in Blink (CVE-2021-37978) and WebRTC (CVE-2021-37979).
Yangkang (@dnpushme) of 360 ATA and Marcin Towalski of Cisco Talos, respectively, reported the concerns. According to Google, each of the reporting researchers received $7,500.
CVE-2021-37980, an incorrect implementation in Sandbox, is the fourth high-severity problem corrected with the current Chrome version. The reporting researcher, Yonghwi Jin (@jinmo123), was awarded a $3,000 incentive for the discovery.
Attackers could use specially designed webpages to compromise a visitor’s system and potentially execute code in the browser context by exploiting these vulnerabilities.
Chrome extended stable channel for Windows and Mac has also been updated to version 94.0.4606.81, according to Google.
The search engine behemoth made no mention of any of these flaws being used in targeted assaults. However, there have been over a dozen documented zero-day attacks targeting the Chrome and Android platforms so far this year.