- Chrome 111 fixes 40 vulnerabilities, with 24 reported by external researchers, including 8 high-severity, 11 medium-severity, and 5 low-severity issues.
- Google paid over $90,000 in bug bounty rewards to the reporting researchers, with more to come as rewards for some vulnerabilities are still being determined.
Google has announced the release of Chrome 111 to its stable channel with fixes for 40 vulnerabilities, out of which 24 were reported by external researchers. These vulnerabilities include 8 high-severity, 11 medium-severity, and 5 low-severity issues.
Latest Chrome Update Addresses Multiple High-severity Use-after-free Bugs
Google rewarded the researchers who reported three high-severity use-after-free bugs impacting Swiftshader, DevTools, and WebRTC with $15,000, $4,000, and $3,000 respectively.
The company also rewarded $10,000 and $7,000 for two type confusion flaws in V8 and CSS respectively, and $3,000 for a stack buffer overflow issue in Crash reporting. The rewards for two heap buffer overflow bugs in Metrics and UMA have not been determined yet.
Six of the medium-severity vulnerabilities reported by external researchers are insufficient policy enforcement bugs affecting browser components such as extensions API, autofill, web payments API, navigation, and intents.
Chrome 111 also addresses several medium-severity vulnerabilities, including inappropriate implementation issues in permission prompts, WebApp installs, and autofill, a heap buffer overflow bug in the Web Audio API, and a use-after-free vulnerability in Core.
The update also fixes several low-severity vulnerabilities reported by external researchers, such as insufficient policy enforcement issues in Resource Timing, an inappropriate implementation vulnerability in Internals, an inappropriate implementation flaw in intents, a type confusion bug in DevTools.
Google has paid over $90,000 in bug bounty rewards to the reporting researchers, with the total amount potentially being higher as rewards for some vulnerabilities are still being determined.
Google has not mentioned any instances of these vulnerabilities being exploited in attacks. The latest Chrome version, 111.0.5563.64/.65 for Windows and 111.0.5563.64 for Linux and macOS, is currently being rolled out.