Google has released a new security update for its Chrome web browser for all supported platforms. The update patches 11 unique security issues in the browser. It comes days after an out-of-bounds security update for Chrome to address a 0-day security vulnerability.
While the issues do not appear to be exploited at the time of writing, it is recommended to update Chrome immediately.
This is done by loading chrome://settings/help in the browser’s address bar or selecting Menu > Help > About Google Chrome manually.
Chrome lists the installed version and will download a new version that it finds automatically on desktop systems.
Pro Tip: open a command prompt window on Windows and run winget upgrade google.chrome.exe to update Chrome without opening it.
Chrome should display one of the following versions after installation of the update:
- Chrome for Mac or Windows: 125.0.6422.141 or 125.0.6422.142
- Chrome for Linux: 125.0.6422.141
- Chrome Extended Channel for Mac or Windows: 124.0.6367.243
- Chrome for Android: 125.0.6422.146 or 125.0.6422.147
The security fixes
Google lists seven of the eleven security issues that it fixed in the Chrome update on the official releases site.
All seven have a severity rating of high. Google does not publish information about security issues that it discovered internally. The severity of the four unmentioned security issues is unknown as a consequence.
Here is what Google reveals about the listed security issues:
- [$7000][339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
- [TBD][338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
- [TBD][338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
- [TBD][338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
- [TBD][339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
- [TBD][339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
- [TBD][339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11
The security issues affect several components of the browser, including APIs, keyboard inputs, media session, WebRTC, and Dawn. Dawn is an “open-source and cross-platform implementation of the WebGPU standard” according to Google Source.