Google Patches Two More Exploited Zero-Day Vulnerabilities in Chrome
Google on Thursday announced the rollout of a Chrome update to address four security vulnerabilities, including two that are already being exploited in the wild.
The exploited vulnerabilities include CVE-2021-37975, a high-severity use-after-free bug in the V8 engine, and CVE-2021-37976, a medium-severity information leak issue in the core. Both were reported last week.
“Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” the Internet search giant says.
Now rolling out to Windows, Mac and Linux users as Chrome version 94.0.4606.71, the new browser iteration also addresses CVE-2021-37974, a high-severity use-after-free in Safe Browsing.
Google says the report for this vulnerability earned the reporting researcher, namely Weipeng Jiang from Codesafe Team of Legendsec at Qi’anxin Group, a $20,000 bug bounty reward.
Exploitation of these vulnerabilities may lead to the execution of arbitrary code in the context of the browser, the Multi-State Information Sharing and Analysis Center (MS-ISAC) warns in an advisory. Successful exploitation may potentially lead to system compromise.
The update comes roughly one week after Google issued an emergency patch for CVE-2021-37973, a high-severity use-after-free issue in the Portals API that was already being exploited in attacks.
With CVE-2021-37975 and CVE-2021-37976, the number of documented zero-day attacks so far in 2021 has been rounded up to 70. Of these, 14 security flaws were found in Google’s Chrome and Android platforms, data reviewed by SecurityWeek shows.