Security News > 2021 > April > Google Patches Yet Another Serious V8 Vulnerability in Chrome
An update released this week by Google for Chrome 90 patches yet another serious vulnerability affecting the V8 JavaScript engine used by the web browser.
Liu told SecurityWeek that the flaw can be exploited for remote code execution in the targeted user's browser, but noted that, similar to other recently disclosed V8 vulnerabilities, it does not escape the Chrome sandbox - a sandbox escape bug is needed to exploit CVE-2021-21227 in real world attacks.
The hacker says CVE-2021-21227 is related to CVE-2020-16040 and CVE-2020-15965, similar high-severity V8 vulnerabilities that Google patched in Chrome in December and September 2020, respectively.
CVE-2020-16040 and CVE-2020-15965 were reported to Google by Lucas Pinheiro of Microsoft Browser Vulnerability Research.
Google has patched several serious V8 vulnerabilities in recent weeks, including some for which PoC exploits were released before patches were made available.
The Chrome 90 update released this week includes 9 security fixes, including for a couple of other high-severity issues, three medium-severity bugs, and one low-severity vulnerability.
News URL
Related news
- Google fixes ninth Chrome zero-day exploited in attacks this year (source)
- Google fixes ninth Chrome zero-day tagged as exploited this year (source)
- Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild (source)
- Google tags a tenth Chrome zero-day as exploited this year (source)
- Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation (source)
- Google increases Chrome bug bounty rewards up to $250,000 (source)
- Google Chrome gets a mind of its own for some security fixes (source)
- Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense (source)
- Chrome Users Can Now Sync Passkeys Across Devices with New Google PIN Feature (source)
- New Google Chrome feature will translate complex pages in real time (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-30 | CVE-2021-21227 | Out-of-bounds Write vulnerability in multiple products Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-01-08 | CVE-2020-16040 | Out-of-bounds Write vulnerability in Google Chrome Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 4.3 |
| 2020-09-21 | CVE-2020-15965 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 85.0.4183.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | 8.8 |