Google Chrome Heap Buffer Overflow Vulnerability (CVE-2021-21148)

Overview

On 4th February 2021, Google released an update to fix a critical heap buffer overflow vulnerability (CVE-2021-21148) in the Chrome browser. It has been fixed in Chrome version 88.0.4324.150 for Windows, Mac, and Linux OS. The vulnerability was found in Google’s open-source JavaScript and WebAssembly engine called V8. Successful exploitation of this vulnerability could lead to arbitrary code execution on a target system.

Description

The heap buffer overflow vulnerability was reported by Security researcher Mattias Buelens on 24th January, 2021, which exists due to the boundary error within the V8 engine. A remote attacker can persuade the victim to open the specially crafted web page, which would trigger the bug and execute arbitrary code on the target system.

According to the Google Chrome advisory, “Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild”. There has been no confirmation about those attacks.

On January 28, 2021, Microsoft published a report for ZINC attack, said that attackers most likely used a Chrome zero-day for their attacks.  Subsequently, a South Korean Security company published a report and discovered that an Internet Explorer zero-day vulnerability has been used for ZINC attack.

Google did not confirm if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe so, due to the proximity of the two events.

Affected products

Google Chrome versions before 88.0.4324.150.

Detection

Qualys customers can scan their network with QID 375091 to detect vulnerable assets.

Kindly continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *