Google Patched Actively Exploited Zero Day Leak Vulnerability in Chrome


Google released a security update for a vulnerability in the desktop version of Chrome that was actively attacked before the patch was available. The zero-day vulnerability resides in the V8 JavaScript engine used to run JavaScript.


It is not the first time that Google Chrome has faced a zero day in V8. It was also hit last February and twice in November . Last December, Google decided to pay higher rewards to security researchers who report vulnerabilities in V8. The now fixed zero-day vulnerability is referred to as CVE-2021-21148 and is causing a heap buffer overflow in the JavaScript engine. Further details on the vulnerability or perceived attacks are not provided.


The impact of the vulnerability has been rated "high". In this case, these are leaks that allow an attacker to execute code within the context of the browser. It is then possible, for example, to read or adjust data from other websites. Vulnerabilities to escape from the Chrome sandbox are also included. The vulnerability in itself is not enough to take over a system. This would require a second vulnerability, for example in the underlying operating system.


Users are advised to update to Google Chrome version 88.0.4324.150 , which is available for Linux, macOS and Windows. Microsoft Edge Chromium, like Chrome, is based on the Chromium browser. Microsoft is expected to release an update soon. Google also released a Chrome update on February 2, followed by Microsoft on February 4 with a patch for Edge.

Previous Post Next Post