Google addresses a new Chrome zero-day flaw actively exploited in the wild

Google Chrome 93.0.4577.82 for Windows, Mac, and Linux that addressed eleven security issues, including two zero-days actively exploited.

Google released Chrome 93.0.4577.82 for Windows, Mac, and Linux that fixed eleven security issues, including two zero-days vulnerabilities actively exploited in the wild.

This is the tenth zero-day vulnerability in Chrome fixed by Google that was exploited in attacks in the wild.

Below is the list of the other nine zero-day vulnerabilities addressed in Chrome in 2021:

• CVE-2021-21148 – February 4th, 2021
• CVE-2021-21166 – March 2nd, 2021
• CVE-2021-21193 – March 12th, 2021
• CVE-2021-21220 – April 13th, 2021
• CVE-2021-21224 – April 20th, 2021
• CVE-2021-30551 – June 9th, 2021
• CVE-2021-30554 – June 17th, 2021
• CVE-2021-30554 – June 17th, 2021
• CVE-2021-30563 – July 15th, 2021

Both zero-day vulnerabilities fixed in Chrome 93.0.4577.82 were disclosed to Google on September 8th, 2021. The first issue, tracked as CVE-2021-30632 is an out-of-bounds write that resides in the V8 JavaScript engine, while the CVE-2021-30633 flws is a use-after-free vulnerability that impacts the Indexed DB API. 

“Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” reads the release note published by the company.

Google did not provide details about the attacks either information about the threat actors exploiting the vulnerabilities. The two vulnerabilities were reported by anonymous researchers.

The two zero-day flaws could be exploited to trigger a DoS condition and under specific circumstances they can allow attackers to escape the sandbox, perform remote code execution, and carry out other malicious activities.

The full list of bugs addressed with the latest release is:

• [$7500][1237533] High CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
• [$7500][1241036] High CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
• [$5000][1245786] High CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
• [$TBD][1241123] High CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
• [$TBD][1243646] High CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2021-08-26
• [$TBD][1244568] High CVE-2021-30630: Inappropriate implementation in Blink . Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
• [$TBD][1246932] High CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
• [$TBD][1247763] High CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
• [$TBD][1247766] High CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08

Google urges its users to update their Google Chrome installs to the latest version immediately.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

[adrotate banner=”5″]

[adrotate banner=”13″]