Chrome 116 Update Fixes 4 High-Severity Vulnerabilities
Recently, Google released a Chrome 116 update, which includes the security fixes for four high-severity vulnerabilities discovered by external researchers.
This blog post will discuss all the patches with their types and potential risks to the system.
High-Severity Vulnerabilities Fixed in Chrome 116
CVE-2023-4761
An out-of-bounds memory access flaw was discovered in the FedCM API. This could enable a remote attacker, who had successfully compromised the renderer process, to conduct an out-of-bounds memory read through a crafted HTML page.
What is an out-of-bounds memory vulnerability?
An out-of-bounds memory access vulnerability occurs when a program tries to read from or write to a memory location that is outside the bounds of the memory allotted for a particular data structure, like an array or a buffer. This may have a number of unwanted and potentially detrimental effects, such as data corruption, software crashes, or, in the worst circumstances, security flaws that attackers might exploit.
CVE-2023-4762
Another fix in the Chrome 116 update is a type confusion vulnerability discovered in the V8 JavaScript engine. As a result, a remote attacker could execute arbitrary code through a crafted HTML page.
What is a type confusion vulnerability?
When a program or script misinterprets or improperly handles the data types of objects or variables, it creates a type confusion vulnerability. It may result in unexpected behavior, security holes, and potentially exploitable weaknesses in the software.
CVE-2023-4763
A use-after-free flaw was found in Networks, which could create the potential for a remote attacker to exploit heap corruption through a specially crafted HTML page.
What is a use-after-free vulnerability?
When a program or application tries to access or utilize a memory address in a computer’s memory (RAM) after that memory has been released or deallocated, it is known as a use-after-free vulnerability. To put it another way, it’s an effort to “use” memory that has already been designated as “free” or “released.” Use-after-free flaws have the potential to weaken security seriously and can be used by attackers to take over a system or application.
CVE-2023-4764
The last vulnerability addressed in this Chrome 116 update is an incorrect security UI flaw in BFCache, which could allow an attacker to spoof the contents of the Omnibox (URL bar) through a crafted HTML page.
Google is currently in the process of determining the bug bounty rewards that will be granted to the researchers who reported these findings.
Final Words
The Stable and Extended Stable channels have been updated to version 116.0.5845.179 for Linux. As Google has marked them as high in terms of severity, it is essential to update Chrome to this new version as soon as possible to protect your system. These updates will roll out gradually over the upcoming days and weeks.
The sources for this article include a story from SecurityWeek.