This week, Google developers released a stable version of Chrome 103 , which fixed 14 vulnerabilities. Independent researchers who uncovered some of these problems received a total of $44,000 from the company through a bug bounty program.
The most serious of all the issues addressed was CVE-2022-2156, which is a critical use-after-free vulnerability in Base. This bug was discovered by Google Project Zero specialist Mark Brand, meaning there was no bug bounty paid for this bug.
Use-after-free vulnerabilities can typically lead to arbitrary code execution, data corruption, or denial of service, and when combined with other issues, they can even lead to complete system compromise. In Chrome, they are often used to escape from the browser’s sandbox.
Chrome 103 also fixes three other use-after-free vulnerabilities discovered by external researchers. The bugs affected components such as Interest group (CVE-2022-2157, High severity), WebApp Provider (CVE-2022-2161, Medium severity), and Cast UI and Toolbar (CVE-2022-2163, Low severity ).
In addition, this Chrome update fixed a type confusion vulnerability discovered by a third party in the V8 JavaScript and WebAssembly engine (CVE-2022-2158), as well as four other medium and low severity issues.
The latest version of Chrome (103.0.5060.53) is already rolling out to Windows, Mac, and Linux users.