Chrome 134 Released with Several Bug fixes

Chrome 134 Released with Several Bug fixes

No Comments

Google has released Chrome 134 to the stable channel, addressing 14 security vulnerabilities across its core components. These fixes include high-severity flaws that could lead to browser crashes, data leaks, or even arbitrary code execution.

High-Severity Vulnerabilities

CVE-2025-1914 – Out-of-Bounds Read in V8 JavaScript Engine

    • Description: This vulnerability involves an out-of-bounds (OOB) read in Chrome’s V8 JavaScript engine. OOB read errors occur when processes access memory outside allocated buffer boundaries, potentially exposing sensitive data or destabilizing renderer processes.
    • Impact: Could allow attackers to access sensitive data or execute arbitrary code.
    • Fix: Enhanced array bounds validation during Just-In-Time (JIT) compilation phases.
    • Bug Bounty: Researchers Zhenghang Xiao and Nan Wang earned a $7,000 reward for reporting this flaw.

    Medium-Severity Vulnerabilities

    CVE-2025-1915 – Path Traversal in DevTools

      • Description: A path traversal flaw in DevTools allowed unauthorized file system access via malformed debugging requests.
      • Impact: Could bypass sandbox restrictions and access sensitive files.
      • Fix: Implemented canonicalization checks to validate path integrity.
      • Bug Bounty: $4,000 reward.

      CVE-2025-1916 – Use-After-Free in Profiles

        • Description: This vulnerability arises when a program continues using a memory pointer after deallocating the underlying resource, creating opportunities for heap corruption.
        • Impact: Could lead to memory corruption and potential exploitation.
        • Fix: Improved lifecycle management of profile objects.
        • Bug Bounty: $3,000 reward.

        CVE-2025-1917 – UI Spoofing in Browser UI (Android)

          • Description: This flaw allowed attackers to spoof UI elements like permission prompts via crafted origin strings.
          • Impact: Could trick users into granting unnecessary permissions.
          • Fix: Introduced rigorous URL origin validation in the PermissionRequestManager.

          CVE-2025-1918 – Out-of-Bounds Read in PDFium

            • Description: An OOB read vulnerability during XFA form parsing in Chrome’s PDF rendering engine.
            • Impact: Could lead to crashes or data exposure.
            • Fix: Validated childNode indices against the actual length of the pChildren array.

            Low-Severity Vulnerabilities

            CVE-2025-1922 – Improper Implementation in Selection

              • Description: A flaw in the Selection component could lead to minor data inconsistencies.
              • Fix: Improved implementation to ensure proper handling of selection operations.

              CVE-2025-1923 – Improper Implementation in Permission Prompts

                • Description: A minor flaw in permission prompts could lead to incorrect dialog behavior.
                • Fix: Enhanced validation mechanisms for permission dialogs.

                Summary of Fixes

                • Total Vulnerabilities Addressed: 14
                • Severity Levels: High (1), Medium (6), Low (2)
                • Components Affected: V8 JavaScript Engine, DevTools, Profiles, Browser UI, PDFium, Selection, and Permission Prompts.
                • Bug Bounty Rewards: Google awarded a total of $27,000 to researchers for reporting these vulnerabilities.

                Recommendations

                Users are strongly advised to update their Chrome browsers to version 134.0.6998.35 (Linux), 134.0.6998.35/36 (Windows), or 134.0.6998.44/45 (macOS) as soon as possible. The update will roll out progressively, so users should check for updates regularly.

                Tags:

                Comments

                No comments yet. Why don’t you start the discussion?

                  Leave a Reply

                  This site uses Akismet to reduce spam. Learn how your comment data is processed.