Google and Mozilla have issued Chrome 126 and Firefox 127 to the stable channels of their respective browsers. The updates fix multiple critical memory safety vulnerabilities. Google fixed 21 vulnerabilities in Chrome, including nine high-severity bugs and eight medium-severity bugs. Mozilla patched 15 bugs, including four high-severity bugs, three of which were memory safety-related issues.
In typical fashion, Google hasn’t revealed technical details behind the fixed issues but has been generous to the reporting researchers. Out of the 21 bugs it fixed, 18 were externally reported. The search giant paid over $160,000 in bug bounty rewards for the researchers.
The highest reward was $100,115 awarded for finding CVE-2024-5839, a medium-severity inappropriate implementation in the browser’s memory allocator. Another reward of $25,000 was awarded for CVE-2024-5830, a high-severity bug in the V8 JavaScript engine.
Google’s rewards align with the company’s MiraclePtr bypass rewards that it offers as part of its Vulnerability Reward Program (VRP). MircalePtr was announced in 2022 to reduce exploitation of the use-after-free vulnerabilities in Chrome and was enabled for Linux, macOS, and ChromeOS in 2023. The search giant’s advisory notes that some bug bounty rewards are still to be decided.
Mozilla also fixed 15 issues in Firefox, including four high-severity vulnerabilities in the browser. While the company’s advisory doesn’t cover the bug bounty rewards offered to the discoverers, it provides information about the fixed bugs. The four high-severity bugs include:
- CVE-2024-5700 includes memory safety bugs in Firefox 126, ESR 115.11, and Thunderbird 115.11. If exploited, the vulnerability may allow attackers to run arbitrary code.
- CVE-2024-5701: Includes memory safety bugs in Firefox 126. If exploited, the vulnerability may allow attackers to run arbitrary code.
- CVE-2024-5687: The bug only affects Firefox for Android. If exploited, it could run incorrect security checks within the browser and send incorrect or misleading information to remote websites.
- CVE-2024-5688: This vulnerability affects Firefox’s garbage collection. If collected at the right time, an attacker can exploit a use-after-free occurrence during object transplant.
Chrome and Firefox users are recommended to update their respective browsers at the earliest. While neither of the companies have reported these vulnerabilities being exploited in the wild, it’s best practice to keep your software updated to prevent unexpected attacks.
In the News: Cardinal ransomware group exploited Windows 0-day before patch