Google patches actively exploited Chrome browser zero-day vulnerability

Upgrading your Chrome build as quickly as possible is recommended.
Written by Charlie Osborne, Contributing Writer

Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild.

The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an "object lifecycle issue in audio." 

Google has labeled the vulnerability as a "high" severity security flaw and has fixed the issue in the latest Chrome release.  

Alongside CVE-2021-21166, Huffman also recently reported another high-severity bug, CVE-2021-21165, another object lifestyle issue in audio problem, and CVE-2021-21163, an insufficient data validation issue in Reader Mode. 

The tech giant has not revealed further details concerning how CVE-2021-21166 is being exploited, or by whom. 

Google's announcement, published on Tuesday, also marked the release of Chrome 89 to the stable desktop channel for Windows, Mac, and Linux machines, which is currently rolling out. Users should upgrade to Chrome 89.0.4389.72 once available. 

The Chrome 89.0.4389.72 release also contains a swathe of other security fixes and browser improvements. In total, 47 bugs have been patched, including a high-severity heap buffer overflow in TabStrip (CVE-2021-21159), another heap buffer overflow in WebAudio (CVE-2021-21160), and a use-after-free issue in WebRTC (CVE-2021-21162). A total of eight vulnerabilities are considered high-severity.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google added. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed."

On February 4, Google pushed out a fix for CVE-2021-21148, a heap buffer overflow in the Chrome V8 JavaScript engine which is also being actively exploited. This high-severity security flaw was reported by Mattias Buelens on January 24. 

This week, Microsoft released urgent updates for four zero-day vulnerabilities in Exchange Server. Microsoft says the bugs are being exploited in "limited targeted attacks" and is urging users to update as quickly as possible. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards