"Chrome 114 Update Patches High-Severity Vulnerabilities"

Google recently announced a new Chrome 114 update that patches a total of four vulnerabilities, including three high-severity bugs reported by external researchers.  Google says it paid out a total of $35,000 in bug bounty rewards to the reporting researchers.  The highest payout went to GitHub Security Lab researcher Man Yue Mo, who discovered a type confusion issue in Chrome's V8 JavaScript rendering engine.  Tracked as CVE-2023-3420, the vulnerability was awarded a $20,000 bug bounty.  Next in line is CVE-2023-3421, a use-after-free vulnerability in Media.  Cisco Talos researcher Piotr Bania earned a $10,000 bug bounty for finding this security defect.  Google noted that use-after-free vulnerabilities in Chrome could lead to a sandbox escape if the attacker targets a privileged browser process or a vulnerability in the underlying operating system.  The third externally reported bug is CVE-2023-3422, a use-after-free flaw in Guest View for which Google paid a $5,000 reward to a security researcher known as "asnine."  Google makes no mention of any of these vulnerabilities being exploited in attacks.  The latest Chrome iteration is now rolling out as version 114.0.5735.198 for macOS and Linux and as versions 114.0.5735.198/199 for Windows.

SecurityWeek reports: "Chrome 114 Update Patches High-Severity Vulnerabilities"