Google patches Chrome zero-day (CVE-2021-21166) exploited in the wild

Google patches Chrome zero-day (CVE-2021-21166) exploited in the wild

Google has released a new Chrome 89 security update (89.0.4389.72) for Windows, Mac and Linux with fixes for multiple vulnerabilities, to include one zero-day vulnerability CVE-2021-21166 exploited in the wild.

An attacker could exploit this vulnerability to take control of impacted systems.

As part of the Chrome security update, Google patched 47 vulnerabilities. Eight of those are rated High severity, to include an ‘Object lifecycle issue in audio’ vulnerability CVE-2021-21166 exploited in the wild.

In total, the following 8 High severity vulnerabilities were addressed in the update and contributed by external researchers:

  1. CVE-2021-21159: Heap buffer overflow in TabStrip.
  2. CVE-2021-21160: Heap buffer overflow in WebAudio.
  3. CVE-2021-21161: Heap buffer overflow in TabStrip.
  4. CVE-2021-21162: Use after free in WebRTC.
  5. CVE-2021-21163: Insufficient data validation in Reader Mode.
  6. CVE-2021-21164: Insufficient data validation in Chrome for iOS.
  7. CVE-2021-21165: Object lifecycle issue in audio.
  8. CVE-2021-21166: Object lifecycle issue in audio (exploit in wild).

Both of the browser audio component vulnerabilities (CVE-2021-21165 and CVE-2021-21166) were discovered by Alison Huffman of the Microsoft Browser Vulnerability Research team.

Moreover, 16 Medium and and 9 Low risk vulnerabilities were also discovered by researchers and fixed by Google in the latest update.

Finally, Google released a security update for Chrome 89 (89.0.4389.72) for Android.

Related Articles