Google Patches Chrome zero-day actively exploited

Google this week addressed 14 vulnerabilities in the Chrome browser, including a zero-day flaw that has been exploited in the wild.

Google released security updates to address 14 vulnerabilities in the Chrome browser, including a zero-day issue that has been exploited in the wild.

The most severe of these flaws, tracked as CVE-2021-30544, is a critical use-after-free issue that impacts BFCache.

A back/forward cache (bfcache) caches whole pages (including the JavaScript heap) when navigating away from a page, so that the full state of the page can be restored when the user navigates back. Think of it as pausing a page when you leave it and playing it when you return.

Google awarded $25,000 researchers Rong Jian and Guang Gong from 360 Alpha Lab for reporting this vulnerability.

Google released updates to fix six high-severity use-after-free flaws in Extensions, Autofill, Loader, Spell check, Accessibility, and V8, and a high-severity out-of-bounds write vulnerability in ANGLE.

One of these flaws, a zero-day Type Confusion issue in the V8 Javascript engine, tracked as CVE-2021-30551, is already being exploited in attacks in the wild.

“Google is aware that an exploit for CVE-2021-30551 exists in the wild.” reads the post published by Google.

Shane Huntley, director of Google’s Threat Analysis Group, revealed that a “commercial exploit company providing capability for limited nation-state Eastern Europe/Middle East targeting” has developed an exploit for the CVE-2021-30551.

It seems that the same commercial exploit company has also developed an exploit for a critical RCE, tracked as CVE-2021-33742, in the Windows MSHTML platform.

Since the beginning of 2021, Google addressed other zero-day vulnerabilities in Chrome:

  • CVE-2021-21148;
  • CVE-2021-21166; 
  • CVE-2021-21193;
  • CVE-2021-21220;
  • CVE-2021-21224.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Google Chrome)

The post Google Patches Chrome zero-day actively exploited appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source