Google is pushing out emergency Chrome updates after two zero-day vulnerabilities have been exploited by attackers.
“Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” Google disclosed in a blog post.
Use after free bugs are commonly used to perform remote code execution or escape the browser’s security sandbox, according to Bleeping Computer.
Google has started rolling out Chrome 94.0.4606.71 to users worldwide. Users are encouraged to install the update immediately by going to the Chrome Menu > Help > About Google Chrome. The browser will begin the update immediately.
Experts note these vulnerabilities are concerning as they are known to have been exploited in the wild.
Google has addressed 14 security flaws in it’s Chrome and Android platforms since the beginning the year. The vulnerabilities include:
- CVE-2021-21148 – Heap buffer overflow in V8
- CVE-2021-21166 – Object recycle issue in audio
- CVE-2021-21193 – Use-after-free in Blink
- CVE-2021-21206 – Use-after-free in Blink
- CVE-2021-21220 – Insufficient validation of untrusted input in V8 for x86_64
- CVE-2021-21224 – Type confusion in V8
- CVE-2021-30551 – Type confusion in V8
- CVE-2021-30554 – Use-after-free in WebGL
- CVE-2021-30563 – Type confusion in V8
- CVE-2021-30632 – Out of bounds write in V8
- CVE-2021-30633 – Use-after-free in Indexed DB API
- CVE-2021-37973 – Use-after-free in Portals
Google has not officially disclosed how these vulnerabilities were used in attacks.