Chrome security update (89.0.4389.128) fixes 2 zero-days exploited in the wild

Google has released Chrome 89 security update (89.0.4389.128) for Windows, Mac and Linux with fixes for 2 vulnerabilities exploited in the wild.

An attacker could exploit these vulnerabilities to take control of impacted systems.

As part of the Chrome security update, Google patched 2 High severity vulnerabilities in all:

• CVE-2021-21206: Use after free in Blink.
• CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64.

Moreover, Google warned there are reports of exploits of each of these vulnerabilities in the wild.

A security researcher Rajvardhan Agarwal who goes by handle “r4j0x00” posted proof-of-concept (PoC) exploit code on GitHub and sent out a tweet on April 12:

Just here to drop a chrome 0day. Yes you read that right.https://t.co/sKDKmRYWBP pic.twitter.com/PpVJrVitLR

— Rajvardhan Agarwal (@r4j0x00) April 12, 2021

The zero-day impacts the V8 JavaScript engine as noted in CVE-2021-21220 and was patched.

Although Google did confirm CVE-2021-21206 was also being exploited in the wild, it is not clear on whether any PoC exploits were published online.

Related Articles

• Google patches Chrome zero-day (CVE-2021-21166) exploited in the wild
• Google patches Chrome zero-day (CVE-2021-21148) exploited in the wild
• Google releases Chrome security update (89.0.4389.114)