Google has updated the Stable channel of the Chrome browser to version 93.0.4577.82 for Windows, Mac and Linux. The update will roll out over the coming days/weeks. There are 11 security fixes, including two for which exploits are already available.
The company has not yet disclosed the details. It is only known that the first vulnerability (CVE-2021-30632) is caused by an out-of-buffer write in the V8 JavaScript engine. The second problem (CVE-2021-30633) is present in the Indexed DB API implementation and is related to the call to the memory area after free (use after free).
The official announcement lists the following patches, which were submitted by third-party researchers.
- CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
- CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
- CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
- CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
- CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-08-26
- CVE-2021-30630: Inappropriate implementation in Blink . Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
- CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
- CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
- CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08
All of the above vulnerabilities are of HIGH severity. No critical issues were found that could be used to bypass all browser security levels and execute code on the target system outside of the sandbox environment.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: