Google has patched a zero-day vulnerability in its Chrome browser for Mac, Windows, and Linux. The vulnerability, which is the second zero-day to be patched by Google in the past month and the third in 2021, could be exploited remotely and could allow the execution of arbitrary code on a vulnerable device.
The flaw, tracked as CVE-2021-21193, is present in the Blink rendering engine and is a ‘use-after-free’ vulnerability that is currently being exploited in the wild. The flaw has been corrected in version 89.0.4389.90 of the browser for Windows, Mac, and Linux. The high-severity vulnerability was assigned a CVSS base score of 8.8 out of 10 and was reported to Google by an anonymous researcher.
To exploit the flaw, an attacker would need to convince a user to visit a specially crafted web page, by sending a link in a phishing email for example. When the user arrives on the page, the vulnerability could be exploited to trigger a denial-of-service condition or execute arbitrary code. Further information on the vulnerability has not been released but will be made available when the majority of Google Chrome users have updated to the latest version of the browser.
Google also corrected four other vulnerabilities in the latest release, including another high severity use-after-free vulnerability (CVE-2021-21191) in WebRTC and a high-severity heap-buffer overflow flaw (CVE-2021-21192) in Chrome group tabs.
Earlier in March, Google corrected a high severity zero-day vulnerability in the audio component of the browser. An exploit for the flaw, tracked as CVE-2021-21166, was being used in attacks.
Since one of the flaws is being actively exploited in the wild, all Chrome users are advised to update to the latest version of the browser manually as soon as possible. Manual updates can be made by navigating to Menu > Help > About Google Chrome.