Chrome 94 Update Patches Actively Exploited Zero-Day Vulnerability

Google has shipped an urgent Chrome update to address yet another zero-day vulnerability that has been actively exploited in attacks.

Tracked as CVE-2021-37973, the security bug is described as a use-after-free issue in the Portals API, a web page navigation technology that pre-renders content when transitioning to a new page, for a seamless experience.

Google did not provide technical details on CVE-2021-37973, but warned that an exploit for it exists in the wild. The search giant credited Clément Lecigne from Google TAG and Sergei Glazunov and Mark Brand from Google Project Zero for reporting the vulnerability.

The security hole can be exploited to execute arbitrary code on a vulnerable system, allowing an attacker to potentially “view, change, or delete data,” the Multi-State Information Sharing and Analysis Center (MS-ISAC) warns.

In a separate advisory, the United States Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to apply the update as soon as possible.

“Google has released Chrome version 94.0.4606.61 for Windows, Mac, and Linux. This version addresses a vulnerability—CVE-2021-37973—that an attacker could exploit to take control of an affected system. An exploit for this vulnerability exists in the wild,” CISA says.

There have been 68 documented zero-day attacks so far in 2021. Data reviewed by SecurityWeek shows that 12 of these security holes were found in Google’s Chrome and Android platforms.

Chrome 94.0.4606.61 was released to address the new zero-day exploit only days after the first stable release of Chrome 94 was announced.

Related: Google Warns of Exploited Zero-Days in Chrome Browser

Related: Google Awards Over $130,000 for Flaws Patched With Release of Chrome 93

Related: Apple Confirms New Zero-Day Attacks on Older iPhones