You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Threat Intelligence Alert: Google Releases Chrome Update to Patch 2 More Zero-Days That Are Being Actively Exploited in the Wild
Key Details
CVE-2021-38000 and CVE-2021-38003
Disclosure Date – October 28th, 2021
CVSS Score – N/A
Affected Products – Chrome versions before 95.0.4638.69
Exploit Released – Yes
Patch Available – Yes
Summary
Google released an update on their “chromereleases” blog on the 28th of October regarding the new stable channel update: 95.0.4638.69 for Windows, Mac and Linux, which is intended to be rolled out over the coming weeks.
This update fixes two zero-day vulnerabilities that are currently being exploited in the wild: CVE-2021-38000 and CVE-2021-38003, which relate to insufficient validation of untrusted user input and inappropriate implementation in V8 JavaScript and WebAssembly engine respectively. These vulnerabilities could allow threat actors to read confidential data and permit them to execute arbitrary commands.
Mitigation
Google recommend that Chrome users update to the latest version (95.0.4638.69) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.
NCC Group also recommend frequently checking Microsoft Edge for new updates as it is a Chromium browser and these vulnerabilities may affect Edge also.
NCC Group Actions
The NCC Group Threat Intelligence team is actively monitoring for further reports relating to these CVEs.