Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux that addresses a high-severity zero-day vulnerability (CVE-2021-37973) exploited in the wild. An attacker can exploit this flaw to execute arbitrary code on systems running vulnerable Chrome versions. This vulnerability is the eleventh zero-day fixed this year.
This emergency update was rolled out to the Stable desktop channel, it will be available to all users over the next few days.
The vulnerability is a use after free in Portals, it was reported by Clément Lecigne from Google TAG, who worked with Sergei Glazunov and Mark Brand from Google Project Zero.
Google confirmed that it is aware of the availability of an exploit for CVE-2021-37973, but the IT giant did not reveal if it is aware of attacks in the wild exploiting this issue.
“Google is aware that an exploit for CVE-2021-37973 exists in the wild,” reads the advisory published by Google. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Google has addressed eleven zero-day vulnerabilities in Chrome web this year, below is the list of the other flaws fixed by the company since January:
(SecurityAffairs – hacking, Turla)