Google has released Chrome 111 to the stable channel with fixes for 40 vulnerabilities, of which 24 were reported by external researchers. The security defects include eight high-severity flaws, 11 medium-severity bugs, and five low-severity issues.
The external researchers were paid more than $90,000 in bug bounty rewards by Google for identifying the vulnerabilities. The high-severity vulnerabilities include three use-after-free bugs in Swiftshader, DevTools, and WebRTC, for which Google awarded bounty rewards of $15,000, $4,000, and $3,000, respectively.
The company’s advisory also mentions two type confusion flaws in V8 and CSS, for which rewards of $10,000 and $7,000 were paid, respectively.
The six medium-severity flaws reported by external researchers are insufficient policy enforcement bugs affecting extensions API, autofill, web payments API, navigation, and intents.
Chrome 111 also resolves medium-severity issues such as inappropriate implementation problems in permission prompts, WebApp installs, and autofill, a heap buffer overflow bug in the Web Audio API, and a use-after-free vulnerability in Core.
The low-severity issues include two insufficient policy enforcement bugs in Resource Timing, an inappropriate implementation flaw in intents, a type confusion bug in DevTools, and an inappropriate implementation vulnerability in Internals.
Google has not reported any of these vulnerabilities being exploited in attacks. The latest Chrome iteration is currently rolling out as versions 111.0.5563.64/.65 for Windows and as version 111.0.5563.64 for Linux and macOS.
The total amount of bug bounty rewards paid out by the company could be much higher as it has yet to determine the amounts to be handed out for several vulnerability reports.
The timely release of the Chrome update underscores the importance of regular software updates to patch vulnerabilities and protect users’ data from cyber threats.