Google rolled out an emergency security patch to its Chrome web browser on the 24th of September, 2021 aimed at addressing a security flaw that’s known to have an exploit in the wild.
The vulnerability is tracked as CVE-2021-37973 and described as use after free in Portals API, a web page navigation system that enables a page to show another page as an inset and “perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document.”
Credited with reporting the flaw is ClĂ©ment Lecigne of Google Threat Analysis Group (TAG) . Additional specifics pertaining to the weakness have not been disclosed in light of active exploitation and to allow a majority of the users to apply the patch, but the internet giant said it’s “aware that an exploit for CVE-2021-37973 exists in the wild.”
This update is coming a day after Apple moved to close an actively exploited security hole in older versions of iOS and macOS (CVE-2021-30869), which the TAG noted as being “used in conjunction with a N-day remote code execution targeting WebKit.” With the latest fix, Google has addressed a total of 12 zero-day flaws in Chrome since the start of 2021:
CVE-2021-21148 – Heap buffer overflow in V8
CVE-2021-21166 – Object recycle issue in audio
CVE-2021-21193 – Use-after-free in Blink
CVE-2021-21206 – Use-after-free in Blink
CVE-2021-21220 – Insufficient validation of untrusted input in V8 for x86_64
CVE-2021-21224 – Type confusion in V8
CVE-2021-30551 – Type confusion in V8
CVE-2021-30554 – Use-after-free in WebGL
CVE-2021-30563 – Type confusion in V8
CVE-2021-30632 – Out of bounds write in V8
CVE-2021-30633 – Use-after-free in Indexed DB API
Chrome users are advised to update to the latest version (94.0.4606.61) for Windows, Mac, and Linux by heading to Settings > Help > ‘About Google Chrome’ to mitigate the risk associated with the flaw.