Google Chrome Zero-Day Use-After-Free Vulnerability (CVE-2021-30554)

The seventh zero-day of Google Chrome was talk of the town in mid-June 2021, two weeks after the sixth zero-day was observed in the wild. The earlier six zero-days were:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021
  • CVE-2021-30551 – June 9th, 2021

Google states that they are “aware that an exploit for CVE-2021-30554 exists in the wild.” The Stable channel has been updated to 91.0.4472.114 for Windows, Mac and Linux, which will roll out over the coming days or weeks. Details regarding this fixed zero-day vulnerability is very limited, except that the it is caused by a use-after-free weakness in the WebGL (Web Graphics Library) JavaScript API used by the Chrome web browsers to render interactive 2D and 3D graphics without using plug-ins.

Affected products

Google Chrome prior to 91.0.4472.114.

Mitigation

Google has released Chrome 91.0.4472.114  for Windows, Mac, and Linux to fix the zero-day vulnerability exploited in the wild and is being tracked as CVE-2021-30554.

One can perform a manual update by going to Settings > Help > About Google Chrome.

Qualys Detection

Qualys customers can scan their network with QID 375638 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References and Sources

https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html

https://www.bleepingcomputer.com/news/security/google-fixes-seventh-chrome-zero-day-exploited-in-the-wild-this-year/

https://threatprotect.qualys.com/2021/06/11/google-chrome-zero-day-type-confusion-vulnerability/

Leave a Reply

Your email address will not be published. Required fields are marked *