Security News > 2021 > April > Google Patches Yet Another Serious V8 Vulnerability in Chrome
An update released this week by Google for Chrome 90 patches yet another serious vulnerability affecting the V8 JavaScript engine used by the web browser.
Liu told SecurityWeek that the flaw can be exploited for remote code execution in the targeted user's browser, but noted that, similar to other recently disclosed V8 vulnerabilities, it does not escape the Chrome sandbox - a sandbox escape bug is needed to exploit CVE-2021-21227 in real world attacks.
The hacker says CVE-2021-21227 is related to CVE-2020-16040 and CVE-2020-15965, similar high-severity V8 vulnerabilities that Google patched in Chrome in December and September 2020, respectively.
CVE-2020-16040 and CVE-2020-15965 were reported to Google by Lucas Pinheiro of Microsoft Browser Vulnerability Research.
Google has patched several serious V8 vulnerabilities in recent weeks, including some for which PoC exploits were released before patches were made available.
The Chrome 90 update released this week includes 9 security fixes, including for a couple of other high-severity issues, three medium-severity bugs, and one low-severity vulnerability.
News URL
Related news
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System (source)
- Google patches actively exploited Android vulnerability (CVE-2024-43093) (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)
- Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-30 | CVE-2021-21227 | Out-of-bounds Write vulnerability in multiple products Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-01-08 | CVE-2020-16040 | Integer Overflow or Wraparound vulnerability in Google Chrome Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |
| 2020-09-21 | CVE-2020-15965 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 85.0.4183.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | 8.8 |