Google fixes 2 new actively exploited zero-day flaws in Chrome

Google rolled out urgent security updates to address two new actively exploited zero-day vulnerabilities in its Chrome browser.

Google this week rolled out urgent security updates for the Chrome browser to address four security flaws, including two new zero-day vulnerabilities that are being exploited in the wild.

Google has addressed a total of five zero-day flaws this month, while the total number of zero-days fixed since the start of the year is 14.

The two zero-day vulnerabilities fixed in the last turn are tracked as CVE-2021-37975 and CVE-2021-37976.

The CVE-2021-37975 flaw is a use after free that resides in the V8 JavaScript engine, it was reported by an anonymous researcher. The CVE-2021-37976 is an Information leak that resides in the core, it was reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21.

The Google Threat Analysis Group (TAG) focuses on investigations into government-backed attacks, it is likely that the CVE-2021-37976 was discovered while the experts were investigating a campaign carried out by a nation-state actor.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.” states the update provided by Google. “Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild. “

Google has addressed a total of 14 zero-day vulnerabilities in Google Chrome since the start of the year, below is the full list.

CVE-2021-21148 – February 4th, 2021
CVE-2021-21166 – March 2nd, 2021
CVE-2021-21193 – March 12th, 2021
CVE-2021-21220 – April 13th, 2021
CVE-2021-21224 – April 20th, 2021
CVE-2021-30551 – June 9th, 2021
CVE-2021-30554 – June 17th, 2021
CVE-2021-30554 – June 17th, 2021
CVE-2021-30563 – July 15th, 2021
CVE-2021-30632 & CVE-2021-30633 – Sept 13th, 2021
CVE-2021-37973 – Sept 24th, 2021
CVE-2021-37975 and CVE-2021-37976 – Oct, 13st, 2021

Be sure to update your Chrome install to the latest 94.0.4606.71 version for Windows, Mac, and Linux.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.