Chinese experts earned $20,000 for reporting a Chrome Sandbox Escape

Pierluigi Paganini March 31, 2021

Researchers have reported to Google a sandbox escape vulnerability in the Chrome web browser to Google that awarded them $20,000.

Experts from the Chinese cybersecurity company Qihoo 360 have reported to Google another sandbox escape vulnerability (CVE-2021-21194) affecting the Chrome web browser. The tech giant awarded the researchers Leecraso and Guang Gong from the 360 Alpha Lab at Qihoo 360 with a $20,000 payout

Google addressed the vulnerability, along with other seven issues, this week with the release of an update for version 89.

The CVE-2021-21194 flaw, rated as high severity, is a use after free in screen capture that could be exploited to escape the Chrome sandbox. Chaining the issue with a renderer flaw, an attacker can escape the sandbox and execute arbitrary code in the targeted device.

“Leecraso told SecurityWeek that the vulnerability, tracked as CVE-2021-21194, can be exploited to escape the Chrome sandbox. If exploited in combination with a renderer bug, it can allow an attacker to remotely execute arbitrary code outside the Chrome sandbox on the targeted user’s device.” reported Security Week.

Prudhvikumar Bommana from Google Chrome team said that many of security bugs discovered by its team are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

“This update includes 8 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.” wrote Bommana.

  • [$20000][1181228] High CVE-2021-21194: Use after free in screen capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-02-23
  • [$15000][1182647] High CVE-2021-21195: Use after free in V8. Reported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent Security Xuanwu Lab on 2021-02-26
  • [$10000][1175992] High CVE-2021-21196: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-02-08
  • [$TBD][1173903] High CVE-2021-21197: Heap buffer overflow in TabStrip. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-03
  • [$TBD][1184399] High CVE-2021-21198: Out of bounds read in IPC. Reported by Mark Brand of Google Project Zero on 2021-03-03
  • [$7500][1179635] High CVE-2021-21199: Use Use after free in Aura. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group and Evangelos Foutras

In October 2020, Leecraso and Guang Gong earned $15000 for reporting to Google another Use after free in user interface of the Chrome browser (CVE-2020-16004). In November 2020, Google released Chrome 86.0.4240.183 for Windows, Mac, and Linux to fix 10 issues including the CVE-2020-16004 flaw.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment