The heap buffer overflow vulnerability was reported by Security researcher Mattias Buelens on 24th January, 2021, which exists due to the boundary error within the V8 engine. A remote attacker can persuade the victim to open the specially crafted web page, which would trigger the bug and execute arbitrary code on the target system.
According to the Google Chrome advisory, “Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild”. There has been no confirmation about those attacks.
On January 28, 2021, Microsoft published a report for ZINC attack, said that attackers most likely used a Chrome zero-day for their attacks. Subsequently, a South Korean Security company published a report and discovered that an Internet Explorer zero-day vulnerability has been used for ZINC attack.
Google did not confirm if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe so, due to the proximity of the two events.
Google Chrome versions before 88.0.4324.150.
Qualys customers can scan their network with QID 375091 to detect vulnerable assets.
Kindly continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.