Chrome for Android has been updated to 40.0.2214.109 and will be available in Google Play over the next few days. This release contains a fix for some Samsung devices seeing a permissions error, as well as the security fixes noted below.

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.

This update includes 11 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.

  • [$TBD][447906] High CVE-2015-1209: Use-after-free in DOM. Credit to Maksymillian Motyl.
  • [$TBD][453979] High CVE-2015-1210: Cross-origin-bypass in V8 bindings. Credit to anonymous.
  • [$TBD][453982] High CVE-2015-1211: Privilege escalation using service workers. Credit to anonymous.
As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [455225] CVE-2015-1212: Various fixes from internal audits, fuzzing and other initiatives.
Many of the above bugs were detected using AddressSanitizer or MemorySanitizer.

A partial list of other changes in this build are available in the Git log. If you find a new issue, please let us know by filing a bug. More information about Chrome for Android is available on the Chrome site.

Jason Kersey
Google Chrome