Updated 15 April 2024 (IGEL OS 11.09.310 available)
First published 25 March 2024
CVSS 3.1: 8.8 (high)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Multiple security vulnerabilities have been found in the Chromium web browser used in IGEL OS. This affects the following IGEL products:
IGEL OS 12
IGEL OS 11
Details
Out of the security issues found in the Chromium web browser, several affect the V8 JavaScript engine. They are all rated high and range from type confusion (CVE-2024-0518, CVE-2024-1938, CVE-2024-1939) over inappropriate implementation (CVE-2024-2174) to out-of-bounds memory access (CVE-2024-2173, CVE-2024-0519).
Use-after-free vulnerabilities rated high have been found in the Mojo (CVE-2024-1284, CVE-2024-1670), Performance Manager (CVE-2024-2400), WebAudio (CVE-2024-0807), Network (CVE-2024-1077), WebRTC (CVE-2024-1059), Canvas (CVE-2024-1060) and FedCM (CVE-2024-2176) components of the browser. These could allow a remote attacker to exploit heap corruption via crafted data.
Further issues are out-of-bounds memory access in Blink (CVE-2024-1669), heap buffer overflow in Skia (CVE-2024-1283), an inappropriate implementation in Accessibility (CVE-2024-0812) and an Integer underflow in WebUI (CVE-2024-0808). These are also rated high.
Update Instructions
OS 12: Update the OS 12 Chromium App to version 122.0.6261.128 when it is available on the IGEL App Portal.