Google patches Chrome zero-day (CVE-2021-21166) exploited in the wild

Google patches Chrome zero-day (CVE-2021-21166) exploited in the wild

Google has released a new Chrome 89 security update (89.0.4389.72) for Windows, Mac and Linux with fixes for multiple vulnerabilities, to include one zero-day vulnerability CVE-2021-21166 exploited in the wild.

An attacker could exploit this vulnerability to take control of impacted systems.

As part of the Chrome¬†security update, Google patched 47 vulnerabilities. Eight of those are rated High severity, to include an ‘Object lifecycle issue in audio’ vulnerability CVE-2021-21166 exploited in the wild.

In total, the following 8 High severity vulnerabilities were addressed in the update and contributed by external researchers:

  1. CVE-2021-21159: Heap buffer overflow in TabStrip.
  2. CVE-2021-21160: Heap buffer overflow in WebAudio.
  3. CVE-2021-21161: Heap buffer overflow in TabStrip.
  4. CVE-2021-21162: Use after free in WebRTC.
  5. CVE-2021-21163: Insufficient data validation in Reader Mode.
  6. CVE-2021-21164: Insufficient data validation in Chrome for iOS.
  7. CVE-2021-21165: Object lifecycle issue in audio.
  8. CVE-2021-21166: Object lifecycle issue in audio (exploit in wild).

Both of the browser audio component vulnerabilities (CVE-2021-21165 and CVE-2021-21166) were discovered by Alison Huffman of the Microsoft Browser Vulnerability Research team.

Moreover, 16 Medium and and 9 Low risk vulnerabilities were also discovered by researchers and fixed by Google in the latest update.

Finally, Google released a security update for Chrome 89 (89.0.4389.72) for Android.

Related Articles