An emergency update for Chrome web browser fixing two zero-day vulnerabilities has been released.
The vulnerability is tracked as CVE-2021-38000 and CVE-2021-38003 and relates to insufficient validaton of untrusted input in a feature called Intents and inappropriate implentation in V8 JavaScript and WebAssembly engine. This flaw was discovered and reported by Threat Analysis Group (TAG) on September 15, 2021 and October 26, 2021 respectively.
Also addressed as part of this stable channel update is a use-after-free vulnerability in the Web Transport component (CVE-2021-38002), which was demonstrated for the first time at the Tianfu Cup contest held earlier this month in China. With these patches, Google has resolved a record 16 zero-days in the web browser since the start of the year —
CVE-2021-21148 – Heap buffer overflow in V8
CVE-2021-21166 – Object recycle issue in audio
CVE-2021-21193 – Use-after-free in Blink
CVE-2021-21206 – Use-after-free in Blink
CVE-2021-21220 – Insufficient validation of untrusted input in V8 for x86_64
CVE-2021-21224 – Type confusion in V8
CVE-2021-30551 – Type confusion in V8
CVE-2021-30554 – Use-after-free in WebGL
CVE-2021-30563 – Type confusion in V8
CVE-2021-30632 – Out of bounds write in V8
CVE-2021-30633 – Use-after-free in Indexed DB API
CVE-2021-37973 – Use-after-free in Portals
CVE-2021-37975 – Use-after-free in V8
CVE-2021-37976 – Information leak in core
Update your Chrome browser to the latest version (95.0.4638.69) for Windows, Mac, and Linux by heading to Settings > Help > ‘About Google Chrome’ to mitigate any potential risk of active exploitation.