"Google Patches Six Vulnerabilities With First Chrome Update of 2024"

Google recently announced the first Chrome security update of 2024, which resolves six vulnerabilities, including four reported by external researchers.  Google noted that all the four externally reported security defects are high-severity memory safety flaws, but bug bounty rewards were handed out only for three of them.  The first two bugs, tracked as CVE-2024-0222 and CVE-2024-0223, are use-after-free and heap buffer overflow vulnerabilities in the graphics rendering engine ANGLE.  Both issues were reported by Qrious Secure researchers, who received $15,000 bug bounty rewards for each of them.  The third bug, CVE-2024-0224, is a use-after-free defect in Chrome’s WebAudio component.  Google noted that it handed out a $10,000 bug bounty for this flaw to the Ant Group Light-Year Security Lab researcher who reported it.  Google says the latest Chrome update also resolves a use-after-free vulnerability in WebGPU.  The bug is tracked as CVE-2024-0225, and Google has yet to disclose the bug bounty amount to be paid to the reporting researcher.  The latest Chrome iteration is now rolling out as version 120.0.6099.199 for macOS and Linux and as versions 120.0.6099.199/200 for Windows.  Google updated Chrome’s extended stable channel to version 120.0.6099.199 for macOS and to version 120.0.6099.200 for Windows.  Google did not mention any vulnerabilities patched with this Chrome update being exploited in the wild.

SecurityWeek reports: "Google Patches Six Vulnerabilities With First Chrome Update of 2024"