Google has updated Chrome to version 96.0.4664.110 for Windows, Mac, and Linux, in the Stable channel due to a high-severity zero-day vulnerability that the firm has confirmed as currently being exploited in the wild. According to the announcement, the update might take time to reach everyone, but we were able to get the update right away on our test system.
The update contains five fixes, which you can see below along with the corresponding bounty reward paid for the disclosure.
- [$NA][1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26
- [$5000][1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16
- [$5000][1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19
- [$TBD][1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21
- [$TBD][1278387] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09
Google also notes that “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” which likely applies to CVE-2021-4102 and of which is already actively being exploited in the wild according to the search giant.