Google has released a security advisory for its Chrome users on Windows, Mac, and Linux, addressing seven security vulnerabilities. This release includes two very critical Zero-Day exploits being exploited in the wild. These google chrome security vulnerabilities are tracked as CVE-2021-38000 and CVE-2021-38003. Endpoints that have not been patched are advised to deploy patches ASAP.
The flaws were discovered and reported by the Threat Analysis Group (TAG). The other high-severity issues addressed include three Use after free vulnerabilities (CVE-2021-37997 ,CVE-2021-37998, CVE-2021-38002), a data validation issue (CVE-2021-37999), and a type confusion vulnerability (CVE-2021-38001).
At the time of writing, details of attacks where both zero-days are being exploited have not been made public.
The wildly-exploited vulnerability exists in the Chrome intents. It arises from an insufficient validation of untrusted input in Intents. Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group discovered and reported this issue.
Google added in the advisory,
Google Chrome versions before 95.0.4638.69.
The vulnerabilities allow attackers to cause a program to crash, execute code, obtain potentially sensitive information, and bypass security restrictions on the affected system.
Google has released the security updates addressing the issue in Google Chrome version 95.0.4638.69.