Security News > 2021 > April > Google Patches Yet Another Serious V8 Vulnerability in Chrome
An update released this week by Google for Chrome 90 patches yet another serious vulnerability affecting the V8 JavaScript engine used by the web browser.
Liu told SecurityWeek that the flaw can be exploited for remote code execution in the targeted user's browser, but noted that, similar to other recently disclosed V8 vulnerabilities, it does not escape the Chrome sandbox - a sandbox escape bug is needed to exploit CVE-2021-21227 in real world attacks.
The hacker says CVE-2021-21227 is related to CVE-2020-16040 and CVE-2020-15965, similar high-severity V8 vulnerabilities that Google patched in Chrome in December and September 2020, respectively.
CVE-2020-16040 and CVE-2020-15965 were reported to Google by Lucas Pinheiro of Microsoft Browser Vulnerability Research.
Google has patched several serious V8 vulnerabilities in recent weeks, including some for which PoC exploits were released before patches were made available.
The Chrome 90 update released this week includes 9 security fixes, including for a couple of other high-severity issues, three medium-severity bugs, and one low-severity vulnerability.
News URL
Related news
- Google Chrome’s AI feature lets you quickly check website trustworthiness (source)
- Google says new scam protection feature in Chrome uses AI (source)
- Google Chrome uses AI to analyze pages in new scam detection feature (source)
- New details reveal how hackers hijacked 35 Google Chrome extensions (source)
- Google Chrome is making it easier to share specific parts of long PDFs (source)
- Google OAuth Vulnerability Exposes Millions via Failed Startup Domains (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-30 | CVE-2021-21227 | Out-of-bounds Write vulnerability in multiple products Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-01-08 | CVE-2020-16040 | Integer Overflow or Wraparound vulnerability in Google Chrome Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |
| 2020-09-21 | CVE-2020-15965 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 85.0.4183.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | 8.8 |