Security researcher Gengming Liu of Singular Security Lab reported this vulnerability to Google. Google has awarded him $15000 for reporting this high severity vulnerability.
Vulnerability Details (CVE-2021-21227)
An insufficient data validation vulnerability has been found in the Chrome browser, which allows remote attackers to execute arbitrary code. Security researcher Gengming Liu has said that the bug will not allow attackers to escape the sandbox on the system where Chrome is running, i.e., an attacker cannot access any other application or program on the system. Hence this bug needs to be coupled with other vulnerabilities to take over the system and cause more damage to the system when the browser is running.
The vulnerability could allow attackers to execute remote code. Coupling this vulnerability with other bugs to escape the sandbox could result in accessing other applications or programs in the system.
Google Chrome version below 90.0.4430.93
To address this vulnerability, Google has released Chrome version 90.0.4430.93 for Windows, Linux, and Mac. Total 9 vulnerabilities are fixed with this version, and they are as follows:
- CVE-2021-21227: Insufficient-data-validation vulnerability that exists in the V8 component.
- CVE-2021-21228: Insufficient-policy-enforcement vulnerability that exists in extensions.
- CVE-2021-21229: Incorrect-security-UI vulnerability exists in downloads.
- CVE-2021-21230: Type-confusion vulnerability exists in the V8 component.
- CVE-2021-21231: Insufficient-data-validation vulnerability exists in the V8 component.
- CVE-2021-21232: Use-after-free vulnerability that exists in Dev Tools component.
- CVE-2021-21233: Heap-buffer-overflow vulnerability that exists in the ANGLE component.