Recently, on 16th Feb, 2021, Google released a stable update to address a number of CVEs – CVE-2021-21149, CVE-2021-21150, CVE-2021-21151, CVE-2021-21152, CVE-2021-21153, CVE-2021-21154, CVE-2021-21155, CVE-2021-21156 and CVE-2021-21157. Multiple vulnerabilities were discovered in Google Chrome that allowed an attacker to create a security problem, which has not been specified by the publisher yet. No POC or active attacks were observed at the time of this blog being written.
According to Google advisory, 9 CVEs and their respective vulnerabilities with high severities are as follows:
CVE-2021-21149: Stack overflow in Data Transfer
CVE-2021-21150: Use after free in Downloads
CVE-2021-21151: Use after free in Payments
CVE-2021-21152: Heap buffer overflow in Media
CVE-2021-21153: Stack overflow in GPU Process
CVE-2021-21154 and CVE-2021-21155: Heap buffer overflow in Tab Strip
CVE-2021-21156: Heap buffer overflow in V8
CVE-2021-21157: Use after free in Web Sockets
Affected Products
Google Chrome versions earlier than 88.0.4324.182
Vulnerable software: Chrome, Edge Chromium, Opera.
Advisory
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html
Solution
Users are advised to update their Google Chrome installations to the latest version 88.0.4324.182
Detection
Qualys customers can scan their network with QID 375119 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html
https://www.cert.ssi.gouv.fr/avis/CERTFR-2021-AVI-126/