Google released a patch on Thursday for vulnerabilities affecting the latest version of Chrome for Windows, Mac, and Linux, including several high-risk issues.
One of the most significant flaws, a high-severity vulnerability (CVE-2016-1646), caused an out of bounds read affecting the V8 JavaScript engine. The flaw was discovered by Wen Xu at Tencent KeenLab.
A high-severity vulnerability (CVE-2016-1649), a buffer overflow flaw affecting libANGLE, was discovered by South Korean security researcher Jung Hoon Lee (lokihardt), working through Hewlett-Packard's Zero Day Initiative, during HP's Pwn2Own hacking competition.
Anonymous researchers discovered two other high-severity flaws (CVE-2016-1647 and CVE-2016-1648). The vulnerabilities are use-after-free bugs that affect Chrome's navigation and extensions, respectively.
Google's internal team discovered bugs related to V8 (4.9.385.33) and another (CVE-2016-1650) affecting internal audits, fuzzing and other initiatives.
Several of the vulnerabilities were discovered through the AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer tools, according to Google's security update.