Both Google and Mozilla have issued updates to address numerous vulnerabilities in their browsers, Chrome and Firefox, respectively.
On Tuesday, Google released Chrome 126 and Mozilla rolled out Firefox 127, each fixing several high-severity memory safety flaws.
Chrome 126 includes patches for 21 security issues, with 18 of these being identified by external researchers. Google noted in their advisory that these researchers were awarded over $160,000 in bug bounties for their contributions.
The most substantial reward, amounting to $100,115, was for CVE-2024-5839, a medium-severity flaw in Memory Allocator. Although Google did not provide specific details about this vulnerability, the reward aligns with the MiraclePtr bypass incentives within Google’s Vulnerability Reward Program (VRP).
MiraclePtr, introduced by Google in 2022, aims to mitigate use-after-free vulnerabilities in Chrome and was fully enabled on Linux, Mac, and ChromeOS in the previous year.
A $25,000 reward was also given for CVE-2024-5830, a high-severity type confusion vulnerability in the V8 JavaScript engine.
Among the externally reported vulnerabilities addressed in Chrome 126, nine are classified as ‘high severity’: two use-after-free issues in Dawn, four type confusion problems in V8, inappropriate implementations in Dawn and DevTools, and a heap buffer overflow in Tab Groups.
Additionally, the update fixes eight medium-severity issues reported by external researchers, including five use-after-free vulnerabilities, a policy bypass, an inappropriate implementation, and a heap buffer overflow.
Google has yet to finalize the bug bounty amounts for seven of the externally reported vulnerabilities. The new Chrome version is 126.0.6478.54 for Linux and 126.0.6478.56/57 for Windows and macOS.
Mozilla’s Firefox 127, also released on Tuesday, addresses 15 vulnerabilities, including four high-severity issues. Three of these are memory safety bugs.
One high-severity flaw, CVE-2024-5687, involved the use of an incorrect principal when opening new tabs following a specific sequence of actions, an issue particular to Firefox for Android.
“This principal is used for calculating several values, including the Referer and Sec- headers, which could lead to incorrect security checks and misleading information being sent to websites,” Mozilla stated.
Firefox 127 also patches a high-severity use-after-free bug in JavaScript object transplant (CVE-2024-5688) and two memory safety issues (CVE-2024-5700 and CVE-2024-5701) that could be exploited to run arbitrary code.
Furthermore, Mozilla released Firefox ESR 115.12 with fixes for eight vulnerabilities, seven of which were addressed in Firefox 127. The eighth, CVE-2024-5702, is a high-severity use-after-free issue in networking.
Neither Google nor Mozilla have reported any instances of these vulnerabilities being exploited in the wild.
Chrome 126 and Firefox 127 Address High-Severity Vulnerabilities
Both Google and Mozilla have issued updates to address numerous vulnerabilities in their browsers, Chrome and Firefox, respectively.
On Tuesday, Google released Chrome 126 and Mozilla rolled out Firefox 127, each fixing several high-severity memory safety flaws.
Chrome 126 includes patches for 21 security issues, with 18 of these being identified by external researchers. Google noted in their advisory that these researchers were awarded over $160,000 in bug bounties for their contributions.
The most substantial reward, amounting to $100,115, was for CVE-2024-5839, a medium-severity flaw in Memory Allocator. Although Google did not provide specific details about this vulnerability, the reward aligns with the MiraclePtr bypass incentives within Google’s Vulnerability Reward Program (VRP).
MiraclePtr, introduced by Google in 2022, aims to mitigate use-after-free vulnerabilities in Chrome and was fully enabled on Linux, Mac, and ChromeOS in the previous year.
A $25,000 reward was also given for CVE-2024-5830, a high-severity type confusion vulnerability in the V8 JavaScript engine.
Among the externally reported vulnerabilities addressed in Chrome 126, nine are classified as ‘high severity’: two use-after-free issues in Dawn, four type confusion problems in V8, inappropriate implementations in Dawn and DevTools, and a heap buffer overflow in Tab Groups.
Additionally, the update fixes eight medium-severity issues reported by external researchers, including five use-after-free vulnerabilities, a policy bypass, an inappropriate implementation, and a heap buffer overflow.
Google has yet to finalize the bug bounty amounts for seven of the externally reported vulnerabilities. The new Chrome version is 126.0.6478.54 for Linux and 126.0.6478.56/57 for Windows and macOS.
Mozilla’s Firefox 127, also released on Tuesday, addresses 15 vulnerabilities, including four high-severity issues. Three of these are memory safety bugs.
One high-severity flaw, CVE-2024-5687, involved the use of an incorrect principal when opening new tabs following a specific sequence of actions, an issue particular to Firefox for Android.
“This principal is used for calculating several values, including the Referer and Sec- headers, which could lead to incorrect security checks and misleading information being sent to websites,” Mozilla stated.
Firefox 127 also patches a high-severity use-after-free bug in JavaScript object transplant (CVE-2024-5688) and two memory safety issues (CVE-2024-5700 and CVE-2024-5701) that could be exploited to run arbitrary code.
Furthermore, Mozilla released Firefox ESR 115.12 with fixes for eight vulnerabilities, seven of which were addressed in Firefox 127. The eighth, CVE-2024-5702, is a high-severity use-after-free issue in networking.
Neither Google nor Mozilla have reported any instances of these vulnerabilities being exploited in the wild.
4o
Archives
Categories
Archives
OpenSilver Expands Support to Mobile Platforms with .NET MAUI Hybrid
March 28, 2025JDK 25: What’s New in the Latest Java Release
March 18, 2025Categories
Meta