Google is pushing out emergency Chrome updates after two zero-day vulnerabilities have been exploited by attackers.
“Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” Google disclosed in a blog post.
The CVE-2021-37975 vulnerability is described as an “information leak in core,” and is of medium-severity level. The second vulnerability CVE-2021-37976 is described as high-severity user after-free bug in the Chrome V8 JavaScript engine.
Use after free bugs are commonly used to perform remote code execution or escape the browser’s security sandbox, according to Bleeping Computer.
Read: Google Announces New Cloud Storage Solutions
Google has started rolling out Chrome 94.0.4606.71 to users worldwide. Users are encouraged to install the update immediately by going to the Chrome Menu > Help > About Google Chrome. The browser will begin the update immediately.
Experts note these vulnerabilities are concerning as they are known to have been exploited in the wild.
Google has addressed 14 security flaws in it’s Chrome and Android platforms since the beginning the year. The vulnerabilities include:
- CVE-2021-21148 – Heap buffer overflow in V8
- CVE-2021-21166 – Object recycle issue in audio
- CVE-2021-21193 – Use-after-free in Blink
- CVE-2021-21206 – Use-after-free in Blink
- CVE-2021-21220 – Insufficient validation of untrusted input in V8 for x86_64
- CVE-2021-21224 – Type confusion in V8
- CVE-2021-30551 – Type confusion in V8
- CVE-2021-30554 – Use-after-free in WebGL
- CVE-2021-30563 – Type confusion in V8
- CVE-2021-30632 – Out of bounds write in V8
- CVE-2021-30633 – Use-after-free in Indexed DB API
- CVE-2021-37973 – Use-after-free in Portals
Google has not officially disclosed how these vulnerabilities were used in attacks.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply