Security News > 2021 > August > Google Patches Several Chrome Flaws That Can Be Exploited via Malicious Extensions
A Chrome 92 update released this week by Google patches 10 vulnerabilities, including several high-severity flaws that earned researchers tens of thousands of dollars in bug bounties.
Google described the issue as a heap buffer overflow in Bookmarks.
These were not the first extension-related Chrome vulnerabilities reported by Erceg to Google.
Another high-severity vulnerability for which Google paid out $20,000 is CVE-2021-30591, a use-after-free bug in the File System API. This issue was discovered by researcher SorryMybad from Kunlun Lab.
It's worth noting that Google pays out up to $20,000 for Chrome sandbox escape vulnerabilities described in a high-quality report.
Google this year patched more than half a dozen actively exploited zero-day flaws.
News URL
Related news
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-26 | CVE-2021-30591 | Use After Free vulnerability in multiple products Use after free in File System API in Google Chrome prior to 92.0.4515.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |