Google has rolled out fixes for five security vulnerabilities in its Chrome web browser, including one which it says is being exploited in the wild, making it the 17th such weakness to be disclosed since the start of the year.
Tracked as CVE-2021-4102, the flaw relates to a use-after-free bug in the V8 JavaScript and WebAssembly engine, which could have severe consequences ranging from corruption of valid data to the execution of arbitrary code. An anonymous researcher has been credited with discovering and reporting the flaw.
As it stands, it's not known how the weakness is being abused in real-world attacks, but the internet giant issued a terse statement that said, "it's aware of reports that an exploit for CVE-2021-4102 exists in the wild." This is done so in an attempt to ensure that a majority of users are updated with a fix and prevent further exploitation by other threat actors.
CVE-2021-4102 is the second use-after-free vulnerability in V8 the company has remediated in less than three months following reports of active exploitation, with the previous vulnerability CVE-2021-37975, also reported by an anonymous researcher, plugged in an update it shipped on September 30. It's not immediately clear if the two flaws bear any relation to one another.
With this latest update, Google has addressed a record 17 zero-days in Chrome this year alone —
- CVE-2021-21148 - Heap buffer overflow in V8
- CVE-2021-21166 - Object recycle issue in audio
- CVE-2021-21193 - Use-after-free in Blink
- CVE-2021-21206 - Use-after-free in Blink
- CVE-2021-21220 - Insufficient validation of untrusted input in V8 for x86_64
- CVE-2021-21224 - Type confusion in V8
- CVE-2021-30551 - Type confusion in V8
- CVE-2021-30554 - Use-after-free in WebGL
- CVE-2021-30563 - Type confusion in V8
- CVE-2021-30632 - Out of bounds write in V8
- CVE-2021-30633 - Use-after-free in Indexed DB API
- CVE-2021-37973 - Use-after-free in Portals
- CVE-2021-37975 - Use-after-free in V8
- CVE-2021-37976 - Information leak in core
- CVE-2021-38000 - Insufficient validation of untrusted input in Intents
- CVE-2021-38003 - Inappropriate implementation in V8
Chrome users are recommended to update to the latest version (96.0.4664.110) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.
