Google has released a security advisory for its Chrome users on Windows, Mac, and Linux, addressing seven security vulnerabilities. However, this release is including two very critical Zero-Day exploits exploited in the wild. Hence, these google chrome security vulnerabilities are tracking as CVE-2021-38000 and CVE-2021-38003. Endpoints that have not been patched are advised to deploy patches ASAP. A good Vulnerability Management System can resolve these issues and hence keep your systems safe and secure.
The flaws were discovered and reported by the Threat Analysis Group (TAG). The other high-severity issues addressed include three Use after free vulnerabilities (CVE-2021-37997,CVE-2021-37998, CVE-2021-38002), a data validation issue (CVE-2021-37999), and a type confusion vulnerability (CVE-2021-38001).
At the time of writing, details of attacks where both zero-days exploited arent made public. A patch management solution can patch these vulnerabilities.
The wildly-exploited vulnerability exists in the Chrome intents. It arises from an insufficient validation of untrusted input in Intents. Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group discovered and reported this issue.
Google added in the advisory,
Affected products by CVE-2021-38000
Google Chrome versions before 95.0.4638.69.
Impact of CVE-2021-38000
The vulnerabilities allow attackers to cause a program to crash, execute code, obtain potentially sensitive information, and hence, bypass security restrictions on the affected system.
Google has released security updates addressing the issue in Google Chrome version 95.0.4638.69.