Google Released a New Version of Chrome Browser Patches19 Vulnerabilities

Google

Google has launched a new version of its Chrome web browser that includes remedies for 19 vulnerabilities, including 16 that were identified by third-party researchers.

The most serious of these flaws is CVE-2021-37981, a heap buffer overflow in Skia for which Google awarded a $20,000 prize, according to a Google advisory.

Next in line are CVE-2021-37982 (incognito component use-after-free problem) and CVE-2021-37983 (incognito component use-after-free issue) (use-after-free error in Dev Tools). Google claims to have paid a $10,000 bounty for information on each of these issues.

CVE-2021-37984 (heap buffer overflow in PDFium) and CVE-2021-37985 (use-after-free in V8) are the two remaining high-severity bugs corrected in this browser release, for which Google paid $7,500 and $5,000, respectively.

A heap buffer overflow in Settings, inappropriate implementations in Blink and WebView, a race in V8, and an out-of-bounds read in WebAudio all have a medium severity rating, as do three other use-after-free vulnerabilities addressed with the release of Chrome 95 (in Network APIs, Profiles, and PDF Accessibility).

Inappropriate implementation errors in iFrame Sandbox and WebApp Installer are the two low-severity vulnerabilities fixed this week.

Separately, Google stated that it improved Chrome’s overall security by deleting support for the TLS 1.0/1.1 and FTP protocols, as well as support for URLs with non-IPv4 hostnames ending in numbers and the U2F (Universal 2nd Factor) standard. The latest browser version also imposes cookie size restrictions.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.