Google has released a new version (89.0.4389.90) of its Chrome browser for Windows, Mac and Linux, which fixes a number of high-risk flaws, including a zero-day bug actively exploited in the wild. This is a second zero-day flaw that the browser maker patched this month.
The zero-day in question is tracked as CVE-2021-21193 and is described as a use-after-free error within Blink component in Google Chrome, which can be exploited by adversaries for remote code execution. To achieve this an attacker needs to trick a victim into visiting a malicious webpage.
“Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild,” said the tech giant in the release note without providing any additional details regarding the attacks exploiting the vulnerability, or malicious actors behind them.
In addition to CVE-2021-21193, the Chrome version 89.0.4389.90 fixes two security vulnerabilities that allow remote code execution.
The first one (CVE-2021-21191) is a use-after-free issue affecting WebRTC component in Google Chrome. A remote attacker can trick the victim top open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
The second bug (CVE-2021-21192) is a heap-based buffer overflow within the tab groups implementation in Google Chrome. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger heap-based buffer overflow and execute arbitrary code on the target system.