Google has released Chrome 89.0.4389.72 version for Windows, Mac, and Linux, which contains a number of improvements and patches for multiple vulnerabilities, including a zero day flaw that has been observed being exploited in the wild.
The zero day flaw, tracked as CVE-2021-21166, is a remote code execution bug, which exists due to improper control of object lifetime in audio in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.
Google said that it is aware of the vulnerability being exploited in the wild, however, the company did not provide additional information regarding the attacks or a threat actor behind them.
CVE-2021-21166 is a second Chrome zero day vulnerability patched by Google this year. Last month, the tech giant released the Chrome 88.0.4324.150 version to address a heap-based overflow issue (CVE-2021-21148) in V8 JavaScript engine that allowed to execute arbitrary code on the target system by tricking a user into visiting a malicious web page.
In addition to CVE-2021-21166, Chrome 89.0.4389.72 contains fixes for a number of high risk vulnerabilities (CVE-2021-21174, CVE-2021-21175, CVE-2021-21176, CVE-2021-21178, CVE-2021-21159, CVE-2021-21160, CVE-2021-21161, CVE-2021-21162, CVE-2021-21165, CVE-2020-27844) that could allow a remote attacker to execute arbitrary code on the system or gain access to sensitive information.