Security News > 2020 > August > Google Awards $10,000 for Remote Code Execution Vulnerability in Chrome

Google this week announced that an update for Chrome 84 includes 15 security patches, including for a serious vulnerability for which the tech giant awarded a $10,000 bug bounty.
This vulnerability is CVE-2020-6542, a high-severity use-after-free bug in ANGLE, the Chrome component responsible for translating OpenGL ES API calls to hardware-supported APIs available for the operating system.
Discovered by Piotr Bania of Cisco Talos, the remote code execution vulnerability is easy to exploit, as the attacker only needs to set up a website containing malicious code that would be triggered upon user visit.
Google awarded the security researcher a $10,000 bug bounty reward for reporting this vulnerability.
Google has yet to provide information on the bug bounties paid to the reporting researchers.
News URL
Related news
- Google fixes Chrome zero-day exploited in espionage campaign (source)
- Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783) (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- Google Fixed Cloud Run Vulnerability Allowing Unauthorized Image Access via IAM Misuse (source)
- Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Google Drops Cookie Prompt in Chrome, Adds IP Protection to Incognito (source)
- Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android (source)
- Google Chrome to use on-device AI to detect tech support scams (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-09-21 | CVE-2020-6542 | Use After Free vulnerability in multiple products Use after free in ANGLE in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |