Google has rolled out a new Chrome 128 update, addressing five security vulnerabilities, including four reported by external researchers. These high-severity memory safety issues were reported following the stable release of Chrome 128 in late August.
Key Vulnerabilities Addressed
Among the most critical vulnerabilities is CVE-2024-8636, a heap buffer overflow in Skia, the 2D graphics engine used by Chrome. This vulnerability could potentially allow attackers to execute malicious code by exploiting memory corruption.
Another significant flaw is CVE-2024-8637, a use-after-free issue in Chrome's Media Router. This kind of vulnerability occurs when memory is improperly handled after it's released, which can lead to code execution, data corruption, or denial-of-service attacks. When combined with other flaws, it could enable a sandbox escape, allowing attackers greater control over the system.
The third externally reported vulnerability is CVE-2024-8638, a type confusion error in the V8 JavaScript engine. This vulnerability could cause unexpected application behavior, crashes, or even remote code execution, making it a high-risk issue for users.
The final externally reported issue is CVE-2024-8639, another use-after-free vulnerability, this time in Chrome's Autofill feature. Like the Media Router flaw, it can lead to various security risks, including potential code execution.
Bug Bounties and Update Availability
Google awarded $15,000 and $11,000 for the first two vulnerabilities, though the bounty amounts for the other two have yet to be disclosed.
The update is now available for download, with Chrome versions 128.0.6613.137/.138 released for Windows and macOS, and 128.0.6613.137 for Linux.
User Action Recommended
Although Google has not confirmed whether any of these vulnerabilities have been actively exploited, it is highly recommended that users update their browsers as soon as possible to stay protected.
This marks the third Chrome 128 update in recent weeks, with previous updates addressing eight additional vulnerabilities, six of which were also reported by external researchers.
As Chrome continues to be a popular target for attackers, staying on top of these updates is essential for maintaining browser security and protecting personal data.