"Chrome 120 Update Patches High-Severity Vulnerabilities"

Google recently announced the release of a Chrome 120 security update that addresses nine vulnerabilities, six of which were reported by external researchers.  Of the externally reported flaws, five have a severity rating of high, four of which are use-after-free issues.  Google said it handed out $50,000 in rewards to the reporting researchers.  Based on the bug bounty reward that was paid out, the most severe of the resolved vulnerabilities is a type confusion bug in the V8 JavaScript engine.  The issue is tracked as CVE-2023-6702 and was reported by Codesafe Team of Legends researchers, who received a $16,000 bug bounty for the finding.  The remaining four high-severity flaws are use-after-free bugs in the browser’s Blink, libavif, WebRTC, and FedCM components.  Google says it handed out $7,000 rewards for the first three and a $6,000 bug bounty for the fourth.  Google noted that it also patched a medium-severity use-after-free vulnerability in CSS, for which it paid out a $7,000 bounty.  The latest Chrome iteration is now rolling out to macOS, Linux, and Windows users as version 120.0.6099.109.  Google also announced that the extended channel for macOS has been updated to the same version.  Google did not mention if these security holes were being exploited in the wild.

SecurityWeek reports: "Chrome 120 Update Patches High-Severity Vulnerabilities"