On Thursday, Google rolled out urgent security updates for its Chrome browser, including two new security flaws that the firm claims are being abused in the wild, making them the company’s fourth and fifth active zero-days this month.
The vulnerabilities are named CVE-2021-37975 and CVE-2021-37976. They are part of a set of four patches that address a use-after-free flaw in the V8 JavaScript and WebAssembly engines, as well as a data leak in the core.
As expected, the IT giant has withheld any more information on how these zero-day vulnerabilities were exploited in attacks until most users have been patched. However, the company informed that “CVE-2021-37975 and CVE-2021-37976 exploits exist in the wild.”
CVE-2021-37975 was discovered by an anonymous researcher, whereas the credit for finding CVE-2021-37976 goes to Clément Lecigne from Google Threat Analysis Group. He was earlier accredited for CVE-2021-37973, another extensively exploited use-after-free vulnerability in Chrome’s Portal API that was disclosed last week.
Since the beginning of 2021, Google has fixed a total of 14 zero-day vulnerabilities in its web browser. Two are mentioned above, and here is a list of the remaining twelve flaws:
- CVE-2021-21148
- CVE-2021-21166
- CVE-2021-21193
- CVE-2021-21206
- CVE-2021-21220
- CVE-2021-21224
- CVE-2021-30551
- CVE-2021-30554
- CVE-2021-30563
- CVE-2021-30632
- CVE-2021-30633
- CVE-2021-37973
Chrome users on Windows, Mac, and Linux should upgrade to the current version (94.0.4606.71). They can head to Settings > Help > “About Google Chrome” to avoid any potential danger of active exploitation.
Google noted that access to technical details is restricted until a majority of users are updated with a fix.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google noted.
This update comes just a few days after Google rolled out fixes for another critical zero-day, which is tracked as CVE-2021-37973, and has been classified as a use-after-free flaw in the Portals API.