Google has rolled out Chrome 116, complete with fixes for 26 vulnerabilities, in its effort to enhance the browser’s security. The update includes patches for 21 vulnerabilities reported by external researchers. Notably, eight of the externally reported bugs are rated as ‘high’ severity, with a focus on memory safety issues.
Among the critical vulnerabilities, CVE-2023-2312, a use-after-free flaw in the Offline component, takes precedence, earning the reporting researcher a $30,000 bounty. This release also introduces a new approach to security updates, with Google planning to ship weekly patches for the popular web browser.
The vulnerabilities addressed in Chrome 116 encompass a range of issues, such as use-after-free flaws, inappropriate implementation bugs, insufficient policy enforcement, and heap buffer overflow vulnerabilities.
A total of $63,000 in bug bounty rewards was distributed to researchers who reported these vulnerabilities. Despite the comprehensive security measures, Google has not reported any active exploitation of these vulnerabilities in attacks. Chrome 116 is being deployed as version 116.0.5845.96 for Mac and Linux, and versions 116.0.5845.96/.97 for Windows. The shift to a weekly security update cadence aims to expedite the delivery of fixes for newly discovered flaws and reduce the opportunity for attackers to exploit potential vulnerabilities.