Google on Tuesday announced a Chrome 126 update that contains six security fixes, four of which address high-severity vulnerabilities reported by external researchers.
The first externally reported bug addressed with this update, tracked as CVE-2024-6100, is a high-severity type confusion issue in the V8 JavaScript engine.
According to Google’s advisory, the security defect was reported by Seunghyun Lee at SSD Secure Disclosure’s TyphoonPWN 2024 hacking competition, held in Seoul, Korea, at the TyphoonCon offensive security conference.
The reporting researcher, Google says, received a $20,000 bug bounty reward for the finding.
The second issue addressed with this Chrome 126 update is CVE-2024-6101, described as an inappropriate implementation in WebAssembly. Google says it handed out a $7,000 reward for this vulnerability.
The Chrome 126 security update also resolves two high-severity flaws in Dawn, namely an out-of-bounds memory access flaw (CVE-2024-6102) and a use-after-free (CVE-2024-6103).
Both security defects were reported by security researcher ‘wgslfuzz’, and Google says it has yet to determine the bug bounty amounts to be paid for them.
As usual, the internet giant has shared no technical details on these vulnerabilities. The company made no mention of any of the issues being exploited in the wild.
The latest Chrome iteration is now rolling out to users as version 126.0.6478.114 for Linux and as versions 126.0.6478.114/115 for Windows and macOS.
Related: Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities
Related: Google Patches Fourth Chrome Zero-Day in Two Weeks
Related: Chrome 125 Update Patches High-Severity Vulnerabilities
Related: Google Extends Chromebook Lifespan, Promises 10 Years of Automatic Updates
