"Google Awards Over $60,000 for V8 Vulnerabilities Patched With Chrome 115 Update"
Google recently announced a Chrome 115 update that patches 17 vulnerabilities, including 11 flaws reported by external researchers. Google noted that the browser update resolves three high-severity type confusion bugs in the V8 JavaScript and WebAssembly engine that earned the reporting researchers over $60,000 in bug bounties. The company stated that it handed out $43,000 in rewards to a security researcher named "Jerry," who reported two of these V8 issues, tracked as CVE-2023-4068 and CVE-2023-4070. A $21,000 bug bounty was awarded to Man Yue Mo of GitHub Security Lab for reporting the third type of confusion bug, tracked as CVE-2023-4069. The latest Chrome update also resolves six other high-severity vulnerabilities. Based on the paid bug bounties, the most severe of these is CVE-2023-4071, a heap buffer overflow bug in Visuals. Next in line is an out-of-bounds read and write issue in WebGL (CVE-2023-4072), followed by an out-of-bounds memory access flaw in the ANGLE graphics engine abstraction layer (CVE-2023-4073). The remaining three high-severity security defects that were externally reported are use-after-free vulnerabilities in Blink Task Scheduling, Cast, and WebRTC. Google noted that the latest Chrome iteration also resolves two medium-severity bugs in Extensions: an insufficient data validation and an inappropriate implementation issue. Google says it handed out a total of $123,000 in bug bounty rewards to the reporting researchers. The latest Chrome release is currently rolling out as version 115.0.5790.170 for Mac and Linux and as versions 115.0.5790.170/.171 for Windows. Google makes no mention of any of these vulnerabilities being exploited in attacks.