Chrome 95.0.4638.69 for Windows, Mac, and Linux has been published to address eight bugs, including two zero-day vulnerabilities that attackers have been extensively exploiting.
Google confirmed that vulnerabilities for CVE-2021-38000 and CVE-2021-38003 have been exploited in the wild, according to a list of security patches included in the latest Google Chrome version.
While Google warns that the new version may take time to reach all, Chrome 95.0.4638.69 has already begun rolling out to users worldwide in the Stable Desktop channel. To get the Chrome update right now, navigate to the Chrome menu > Help > About Google Chrome, and the browser will start updating itself.
This Chrome update addresses eight vulnerabilities, two of which are zero-days that have been misused in the open.
The list is:
[$10000][1259864] High CVE-2021-37997 : Use after free in Sign-In. Reported by Wei Yuan of MoyunSec VLab on 2021-10-14
[$7500][1259587] High CVE-2021-37998 : Use after free in Garbage Collection. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-13
[$1000][1251541] High CVE-2021-37999 : Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21
[$N/A][1249962] High CVE-2021-38000 : Insufficient validation of untrusted input in Intents. Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15
[$N/A][1260577] High CVE-2021-38001 : Type Confusion in V8. Reported by Kunlun Lab via Tianfu Cup on 2021-10-16
[$N/A][1260940] High CVE-2021-38002 : Use after free in Web Transport. Reported by @__R0ng of 360 Alpha Lab, 漏洞研究院青训队 via Tianfu Cup on 2021-10-16
[$TBD][1263462] High CVE-2021-38003 : Inappropriate implementation in V8. Reported by Clément Lecigne from Google TAG and Samuel Groß from Google Project Zero on 2021-10-26
The first zero-day, CVE-2021-38000, was awarded a high severity level due to “insufficient validation of untrusted input in Intents.” The next zero-day is a high severity “Inappropriate implementation” vulnerability in the Chrome V8 JavaScript engine. It is tagged as CVE-2021-38003.
At this point, neither Google nor the researchers have revealed any more information on how threat actors exploited the vulnerabilities in attacks. However, because Google uncovered the flaws, we may learn more in future Google TAG, or Project Zero reports.
Because these two flaws have been exploited in attacks, it is recommended that all Chrome users upgrade manually or restart their browsers to get the current version.
As Google is currently putting out Chrome updates to remedy zero-days, users are strongly recommended not to stop updates and to install new versions as they become available.