Chrome zero-day bug that is actively being abused by bad folks affects Edge, Vivaldi, and other Chromium-tinged browsers • The Register

Chrome zero-day bug that is actively being abused by bad folks affects Edge, Vivaldi, and other Chromium-tinged browsers • The Register


If you use Google Chrome or a Chromium-based browser such as Microsoft Edge, update it immediately and/or check it for updates over the coming days: there is a zero-day bug being “actively exploited” in the older version of Chrome that will also affect other vendors’ browsers.

Details are intentionally scant until enough of the wider world has installed the update, but the flaw exists in how Chrome handles heap overflows in V8, Chromium’s Javascript engine.

“Google is aware of reports that an exploit for CVE-2021-21148 [the zero-day; more details below] exists in the wild,” said the loquacious adtech firm in a statement.

The V8 vuln affects Chromium-based browsers in general and not just Google Chrome itself. Tarquin Wilton-Jones, developer at Vivaldi, told The Register: “This is a generic Chromium issue, and affects Chromium-based browsers. We released an update for our desktop stable channel yesterday, which includes the Chromium update for this issue. We are currently testing our Android build with the update, and hope to have it released soon.”


Vivaldi composes sweet ad-blocking symphony for users of browser’s Android version


This means users of Microsoft Edge, Brave, and other fringe browsers need to get updating pronto. Firefox users may enjoy a moment – but only a moment – of smugness.

While Google’s blog post announcing the new update was terse and undescriptive, it revealed that the zero-day is known as CVE-2021-21148 (details will appear at this link at a later date) and was reported by software architect Mattias Buelens on 24 January. The flaw itself, described only as “heap buffer overflow”, exists in V8, Chromium’s open-source Javascript and WebAssembly engine.

Two days later, Google’s Threat Analysis Group warned the world that North Koreans were probing zero-day researchers, though there is no evidence so far to suggest a firm link between the two.

OmahaProxy, a site that tracks what’s running under the hood in Chrome, shows that between the previous stable build (88.0.4324.146) and the latest (ending 150) V8’s version number was incremented, from to .15 in the newest Chrome version.

multiple facepalms

Rubbish software security patches responsible for a quarter of zero-days last year


The Chromium log for the latest version (88.0.4324.150), naturally, contains no specific details of the bug yet. Chromium’s automatic vuln disclosure terms are for details to be published 14 weeks after a fix, if the bug isn’t revealed sooner.

Back in early November, Google patched another Chrome-affecting bug in V8 that allowed a remote attacker to exploit heap corruption through a specially crafted HTML page. Details of that bug haven’t yet entered the public domain but should do so pretty soon, if Google abides by its own 14-week disclosure rules. ®

You May Also Like…