Google on Thursday rolled out an emergency update for its Chrome web browser, including fixes for two zero-day vulnerabilities that it says are being actively exploited in the wild.
"Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild," the company noted in an advisory without delving into technical specifics about how the two vulnerabilities were used in attacks or the threat actors that may have weaponized them.
Also addressed as part of this stable channel update is a use-after-free vulnerability in the Web Transport component (CVE-2021-38002), which was demonstrated for the first time at the Tianfu Cup contest held earlier this month in China. With these patches, Google has resolved a record 16 zero-days in the web browser since the start of the year —
- CVE-2021-21148 - Heap buffer overflow in V8
- CVE-2021-21166 - Object recycle issue in audio
- CVE-2021-21193 - Use-after-free in Blink
- CVE-2021-21206 - Use-after-free in Blink
- CVE-2021-21220 - Insufficient validation of untrusted input in V8 for x86_64
- CVE-2021-21224 - Type confusion in V8
- CVE-2021-30551 - Type confusion in V8
- CVE-2021-30554 - Use-after-free in WebGL
- CVE-2021-30563 - Type confusion in V8
- CVE-2021-30632 - Out of bounds write in V8
- CVE-2021-30633 - Use-after-free in Indexed DB API
- CVE-2021-37973 - Use-after-free in Portals
- CVE-2021-37975 - Use-after-free in V8
- CVE-2021-37976 - Information leak in core
Chrome users are advised to update to the latest version (95.0.4638.69) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.