Multiple vulnerabilities in Google Chrome



Published: 2021-01-19
Risk High
Patch available YES
Number of vulnerabilities 36
CVE ID CVE-2021-21134
CVE-2021-21128
CVE-2021-21129
CVE-2021-21130
CVE-2021-21131
CVE-2021-21132
CVE-2021-21133
CVE-2021-21135
CVE-2021-21126
CVE-2021-21136
CVE-2021-21137
CVE-2021-21138
CVE-2021-21139
CVE-2021-21140
CVE-2021-21141
CVE-2021-21127
CVE-2021-21125
CVE-2021-21124
CVE-2021-21117
CVE-2021-21118
CVE-2021-21119
CVE-2021-21120
CVE-2021-21121
CVE-2021-21122
CVE-2021-21123
CVE-2020-16044
CWE ID CWE-119
CWE-451
CWE-122
CWE-264
CWE-358
CWE-416
CWE-908
CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #6 is available.
Public exploit code for vulnerability #16 is available.
Public exploit code for vulnerability #35 is available.
Vulnerable software
Subscribe
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google, Inc.

Security Advisory

1) Memory corruption

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1162198

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Spoofing attack

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21134

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Page Info in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1157800

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Heap-based buffer overflow

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21128

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Blink. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1138877

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21129

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in File System API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1140403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Permissions, Privileges, and Access Controls

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21130

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in File System API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1140410

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Permissions, Privileges, and Access Controls

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21131

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in File System API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1140417

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improperly implemented security check for standard

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21132

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1128206

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Permissions, Privileges, and Access Controls

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21133

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Downloads in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1157743

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improperly implemented security check for standard

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21135

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Performance API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1157818

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Permissions, Privileges, and Access Controls

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21126

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in extensions in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1108126

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Permissions, Privileges, and Access Controls

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21136

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in WebView in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1038002

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improperly implemented security check for standard

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21137

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1093791

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Use-after-free

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21138

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to use-after-free error in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1122487

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Improperly implemented security check for standard

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21139

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in iframe sandbox in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/937131

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use of uninitialized resource

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21140

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of uninitialized resources in USB in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1136327

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Permissions, Privileges, and Access Controls

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21141

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in File System API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1140435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Permissions, Privileges, and Access Controls

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21127

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in extensions in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1115590

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Permissions, Privileges, and Access Controls

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21125

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in File System API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1152327

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Memory corruption

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1161654

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Security restrictions bypass

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1135835

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Memory corruption

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1156904

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Memory corruption

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1153329

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Security restrictions bypass

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can bypass imposed security restrictions or gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1142069

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Security restrictions bypass

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can bypass imposed security restrictions or gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1097499

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Security restrictions bypass

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1145906

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Security restrictions bypass

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1144646

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Security restrictions bypass

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179
https://crbug.com/1135594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21124

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Speech Recognizer component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1131346

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Permissions, Privileges, and Access Controls

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21117

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Cryptohome in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137179

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Input validation error

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21118

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in V8 in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1161357

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21119

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Media component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1160534

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21120

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the WebSQL component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1160602

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21121

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Omnibox component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1161143

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21122

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Blink component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1162131

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Input validation error

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21123

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in File System API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.

Mitigation

Update to version 88.0.4324.96.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1137247

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-16044

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing COOKIE-ECHO chunk in a SCTP packet. A remote attacker can pass specially crafted data to the browser, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 88.0.4324.0, 88.0.4324.1, 88.0.4324.2, 88.0.4324.3, 88.0.4324.4, 88.0.4324.5, 88.0.4324.6, 88.0.4324.7, 88.0.4324.8, 88.0.4324.9, 88.0.4324.10, 88.0.4324.11, 88.0.4324.12, 88.0.4324.13, 88.0.4324.14, 88.0.4324.15, 88.0.4324.16, 88.0.4324.17, 88.0.4324.18, 88.0.4324.19, 88.0.4324.20, 88.0.4324.21, 88.0.4324.22, 88.0.4324.23, 88.0.4324.24, 88.0.4324.25, 88.0.4324.26, 88.0.4324.27, 88.0.4324.28, 88.0.4324.29, 88.0.4324.30, 88.0.4324.31, 88.0.4324.32, 88.0.4324.33, 88.0.4324.34, 88.0.4324.35, 88.0.4324.36, 88.0.4324.37, 88.0.4324.38, 88.0.4324.39, 88.0.4324.40, 88.0.4324.41, 88.0.4324.42, 88.0.4324.43, 88.0.4324.44, 88.0.4324.45, 88.0.4324.46, 88.0.4324.47, 88.0.4324.48, 88.0.4324.49, 88.0.4324.50, 88.0.4324.51, 88.0.4324.52, 88.0.4324.53, 88.0.4324.54, 88.0.4324.55, 88.0.4324.56, 88.0.4324.57, 88.0.4324.58, 88.0.4324.59, 88.0.4324.60, 88.0.4324.61, 88.0.4324.62, 88.0.4324.63, 88.0.4324.64, 88.0.4324.65, 88.0.4324.66, 88.0.4324.67, 88.0.4324.68, 88.0.4324.69, 88.0.4324.70, 88.0.4324.71, 88.0.4324.72, 88.0.4324.73, 88.0.4324.74, 88.0.4324.75, 88.0.4324.76, 88.0.4324.77, 88.0.4324.78, 88.0.4324.79, 88.0.4324.80, 88.0.4324.81, 88.0.4324.82, 88.0.4324.83, 88.0.4324.84, 88.0.4324.85, 88.0.4324.86, 88.0.4324.87, 88.0.4324.88, 88.0.4324.89, 88.0.4324.90, 88.0.4324.91, 88.0.4324.92, 88.0.4324.93, 88.0.4324.94, 88.0.4324.95

CPE External links

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
https://crbug.com/1163228

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###