Google has released Chrome 86.0.4240.183 for Windows, Mac, and Linux, which contains security fixes for a total of ten vulnerabilities, including a flaw that is currently being exploited in the wild.
Tracked as CVE-2020-16009, the zero-day vulnerability is described as inappropriate implementation in V8, a Google's open source high-performance JavaScript and WebAssembly engine. Google did not provide further technical details regarding the vulnerability or attacks targeting CVE-2020-16009.
In addition to CVE-2020-16009, the new update fixes nine high risk flaws (CVE-2020-16004, CVE-2020-16005, CVE-2020-16006, CVE-2020-16007, CVE-2020-16008, and CVE-2020-16011) in several Chrome components.
A separate zero-day bug (CVE-2020-16010) has been fixed in Chrome for Android. The vulnerability is a heap-based buffer overflow, which exists when processing untrusted HTML content in UI in Google Chrome on Android. A remote attacker, who had compromised the renderer process, can perform a sandbox escape via a crafted HTML page.
Chrome 86 (86.0.4240.185) for Android will become available on Google Play over the next few weeks.
Last month, Google released a security update for Chrome to patch several vulnerabilities, including CVE-2020-15999, a zero-day issue in FreeType rendering engine. As Google revealed last week, the CVE-2020-15999 flaw was used in attacks together with a zero-day vulnerability (CVE-2020-17087) in Windows kernel. In the observed attacks the Chrome vulnerability was used to run malicious code inside Chrome, while CVE-2020-17087 was exploited for sandbox escape.