Just a few days after releasing a security update to fix a Chrome zero-day bug, Google has rolled out yet another emergency update (Chrome 94.0.4606.71) to address two more vulnerabilities said to be under active attacks by hackers.
The two zero-day flaws are tracked as CVE-2021-37975 and CVE-2021-37976. The first one is a use-after-free error within the Chrome V8 JavaScript engine, which can be exploited by a remote attacker for remote code execution by tricking a victim into visiting a malicious web page.
The second vulnerability has been described as an information disclosure issue in core in Google Chrome. This bug allows a remote attacker to gain access to sensitive information. As in the previous case, to do this an attacker needs to trick a victim into visiting a specially crafted web page.
In addition to the above-mentioned, Google has fixed a use-after-free issue (CVE-2021-37974) in the Safe Browsing component in Google Chrome, which allows remote code execution.
Currently, there are no further details regarding how the two zero-day flaws were used in attacks, or who may have been behind them.
Chrome users can update to the latest version (94.0.4606.71) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome'.