Search Information Security site

 

Main menu

Two more Chrome Zero-Day flaws CVE-2021-21206 & 21220

Date: 
Wednesday, April 14, 2021 - 11:00

Two more Zero-Day flaws in the Chrome web browser for Windows, Macintosh, and Linux computers

Two more zero-day flaws have been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2021-21206 and CVE-2021-21220) are a high and medium severity flaw (respectively) on the CVSS vulnerability-rating scale.  Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of the vulnerabilities are as follows: 

  • A use-after-free vulnerability that exists in the ‘BLINK' component. (CVE-2021-21206)
  • An insufficient validation of untrusted input in ‘V8’ component for x86_64. (CVE-2021-21220)

If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Google has released an update that addresses this vulnerability (version 89.0.4389.128). Most Chrome browser will auto-updated and the update requires the browser to be restarted.
Considering the disclosed vulnerabilities, you should update your Chrome browser to the latest version (at least 89.0.4389.128) as soon as possible.  This update addresses these two security flaws.

Double-check your Chrome Browser is up-to-date

Chrome will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.

In Chrome, click on Settings  then About Chrome

If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 89.0.4389.128 

Additional Details

One vulnerability (CVE-2021-21206) exists in Blink, the browser engine for Chrome and the other (CVE-2021-21220) in the ‘V8’ component for x86_64.
Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users. The flaw (CVE-2021-21206) ranks 7.3 out of 10 on the CVSS vulnerability-rating scale, making it high-severity, while the other flaw (CVE-2021-21220) ranks 4.8 out of 10, making it a medium-severity flaw. 

(References: https://www.securityweek.com/google-patches-more-under-attack-chome-zero-dayshttps://nvd.nist.gov/vuln/detail/CVE-2021-20206 and https://nvd.nist.gov/vuln/detail/CVE-2021-20220 ).

Please see the Chrome Security Page and the Chrome Stable Release webpages for more information.
 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form