Google developers released Chrome version 90.0.4430.85 (for Windows, Mac and Linux), eliminating a zero-day vulnerability that hackers have already actively exploited.
The issue is identified as CVE-2021-21224 and was reported by security analyst Jose Martinez of VerSprite Inc. The vulnerability is also known to be related to a type confusion bug in the V8 engine.
Martinez himself writes that the vulnerability is related to a PoC exploit for Chrome, which was posted on Twitter last week. At the same time, the researcher himself informed Google about the problem a week before this publication.
Let me remind you that the bug, the exploit for which was published on social networks, did not allow you to escape from the Chromium sandbox. That is, the attacker first needs to get out of the sandbox by combining the problem with other vulnerabilities.
Also in Chrome version 90.0.4430.85, minor bugs have been fixed, including:
- CVE-2021-21222: V8 heap buffer overflow;
- CVE-2021-21223: Mojo integer overflow
- CVE-2021-21225: out of bounds memory access in V8;
- CVE-2021-21226: use after free navigation issue.