Google has released Chrome version 86.0.4240.111 for Windows, Mac and Linux to address several vulnerabilities in its browser, including an actively exploited zero-day flaw.
Tracked as CVE-2020-15999, the vulnerability is described as a heap buffer overflow bug in FreeType rendering engine. The vulnerability “exists in the function `Load_SBit_Png`, which processes PNG images embedded into fonts,” and can be exploited with specifically crafted fonts with embedded PNG images.
“Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild,” Google said.
A patch for CVE-2020-15999 has been included in FreeType 2.10.4.
Windows, Mac, and Linux desktop users can upgrade to Chrome 86 via built-in update mechanism by going to Settings -> Help -> About Google Chrome.
In addition to CVE-2020-15999, the new Chrome version also includes patches for high severity flaws in Chrome's Blink rendering engine (CVE-2020-16000), and three use-after-free memory corruption bugs in PDFium (CVE-2020-16002), and the browser's media and printing functions (CVE-2020-16001, CVE-2020-16003).