Google and Mozilla on Tuesday announced security updates for their Chrome and Firefox web browsers, and some of the vulnerabilities they patch are potentially severe.
Google has announced the release of Chrome 130, which patches two vulnerabilities.
One of them, tracked as CVE-2024-10487, has been described as a critical out-of-bounds write issue in Dawn, the cross-platform implementation of the WebGPU standard.
The issue was reported to Google by Apple’s Security Engineering and Architecture (SEAR) team just one week ago. Different implementations of the WebGPU graphics API are used in Firefox and Safari as well, but it’s unclear if these browsers are also impacted by CVE-2024-10487.
While there is no information on what CVE-2024-10487 can be exploited for, in general, exploitation of out-of-bounds write issues can lead to arbitrary code execution. Google has not mentioned anything about in-the-wild exploitation.
The second vulnerability patched with the release of Chrome 130 is CVE-2024-10488, a high-severity use-after-free in WebRTC.
Google has yet to determine the bug bounties that it will pay out for these vulnerabilities.
Mozilla on Tuesday released Firefox 132 and Thunderbird 132. The latest versions of the browser and email client patch the same 11 vulnerabilities, including two high-severity issues.
One of them, tracked as CVE-2024-10458, has been described as a permission leak that can occur from a trusted website to an untrusted website. The second issue, CVE-2024-10459, is a use-after-free that can lead to an exploitable crash.
The remaining vulnerabilities have been assigned ‘medium’ and ‘low’ severity ratings and their exploitation can lead to spoofing, XSS attacks, data leaks, DoS conditions, and arbitrary code execution.
Related: North Korean Hackers Exploited Chrome Zero-Day for Cryptocurrency Theft
Related: Google Pays Out $36,000 for Severe Chrome Vulnerability
Related: Firefox 131 Update Patches Exploited Zero-Day Vulnerability
