The version of Google Chrome installed on the remote host is prior to 64.0.3282.119, and is affected by multiple vulnerabilities :
- An integer overflow condition exists in the ‘Runtime_RegExpReplace()’ function in ‘runtime/runtime-regexp.cc’ that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- An out-of-bounds read flaw exists in the ‘JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid()’ function in ‘interpreter/bytecode-array-accessor.cc’ that is triggered when accessing a bytecode jump table. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An out-of-bounds read flaw exists in the ‘parse_opus_ts_header()’ function in ‘libavcodec/opus_parser.c’ that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A flaw exists in the ‘WebUsbDetector::OnDeviceAdded()’ function in ‘usb/web_usb_detector.cc’ that is triggered when displaying RTL languages in WebUSB notifications. This may allow a context-dependent attacker to cause the URL to be somewhat improperly displayed.- An assertion flaw exists in the ‘DateFormat::format()’ function that is triggered when handling Nan and Infinity dates. This may allow a context-dependent attacker to cause a process linked against the library to terminate.
- A flaw exists as it does not properly limit certain problematic characters ‘e.g’. Malaylam U+0D1F letters before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can more easily spoof an omnibox address.
- A flaw exists in the ‘NavigationControllerImpl::RendererDidNavigateToExistingPage()’ function in ‘frame_host/navigation_controller_impl.cc’ that is triggered when managing SSL state while navigating to an existing insecure page that redirected to a secure page. This may allow a context-dependent attacker to cause the SSL state to be lost.
- A flaw exists in the ‘TopSitesImpl::SetTopSites()’ function in ‘components/history/core/browser/top_sites_impl.cc’ that is triggered as clearing all browsing data retains page thumbnails in New Tab Page. This may allow a local attacker to disclose visited pages even when such information should have been deleted.
- A flaw exists that is triggered when handling IP addresses from mDNS / cast channel requests. This may allow an attacker to gain unauthorized access to a cast device.
- An out-of-bounds read flaw exists in the ‘TemplateURLParsingContext::ProcessURLParams()’ function in ‘components/search_engines/template_url_parser.cc’ that is triggered when handling invalid template URLs. This may allow a context-dependent attacker to potentially disclose memory contents.
- A flaw exists that is triggered when handling frames. This may allow a context-dependent attacker to bypass HTML sandbox restrictions.
- A flaw exists in the ‘Event::Deserialize()’ function in ‘mojo/edk/system/ports/event.cc’ that is triggered when calculating mojo event message data sizes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the ‘JSBuiltinReducer::ReduceObjectCreate()’ function in ‘compiler/js-builtin-reducer.cc’ that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- An overflow condition exists that is triggered when handling bitstream audio in the IPC layer.