Google has released Chrome 95.0.4638.69 for Windows, Mac and Linux. Two zero-day vulnerabilities that were actively exploited by cybercriminals have been fixed in the browser.
The developers warn that exploits have already been created for the vulnerabilities CVE-2021-38000 and CVE-2021-38003, which are used by hackers, but the company has not yet disclosed the details of these attacks. This is a normal practice for Google, as the company does not share any details about the bugs themselves or about the scenarios for their use if the vulnerability is under attack. In this way, Google gives users time to install patches before other attackers begin to abuse fresh bugs.
In total, seven vulnerabilities have been fixed in this Chrome release, two of which are categorized as 0-day. The first day zero, CVE-2021-38000, is described as insufficient validation of the untrusted input in Intents and was assigned a high severity. The problem was discovered internally by Google Threat Analysis Group in September 2021.
The second day zero, CVE-2021-38003, is an implementation issue in the Chrome V8 JavaScript engine. This vulnerability was also discovered by an expert from the Google Threat Analysis Group last week.
Since both vulnerabilities were exploited in attacks, all Chrome users are advised to manually update their browser to install the latest version as quickly as possible.