Connect with us

Hi, what are you looking for?



Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched

A researcher has made public an exploit and details for an unpatched vulnerability affecting Chrome, Edge and other web browsers that are based on the open source Chromium project. This is the second Chromium proof-of-concept (PoC) exploit released this week.

A researcher has made public an exploit and details for an unpatched vulnerability affecting Chrome, Edge and other web browsers that are based on the open source Chromium project. This is the second Chromium proof-of-concept (PoC) exploit released this week.

The second exploit was publicly disclosed by a researcher who uses the online moniker Frust and who works for Chinese cybersecurity company Qihoo 360. Frust announced the availability of an exploit for a “zero-day” Chrome vulnerability on Twitter on Wednesday, and a few hours later published a blog post with a technical description of the vulnerability (in Chinese), which actually exists in the Chromium code.

Mitja Kolsek, CEO of ACROS Security and co-founder of third-party patching service 0patch, has confirmed for SecurityWeek that the vulnerability disclosed by Frust has not been patched in the latest versions of Chrome and Edge that were released this week. Chrome 90 was released on Wednesday, but it does not fix this security hole, for which a CVE identifier has apparently yet to be assigned.

The vulnerability was discovered in the v8 JavaScript engine used by Chromium, based on the analysis of changes made by developers in the code. The flaw has been patched in the code, but the patch has yet to be shipped to Chrome or Edge users.

Chrome zero-day exploit made public

The vulnerability disclosed by Frust, Kolsek said, can be exploited for arbitrary code execution in the browser process by tricking the targeted user into visiting a malicious website. However, it only works if the browser sandbox is disabled or if the attacker combines it with a sandbox escape exploit.

This is the second Chromium vulnerability for which an exploit has been released this week. The first vulnerability was fixed with a Chrome 89 update released by Google on Tuesday. The Chrome update patched two high-severity vulnerabilities tracked as CVE-2021-21206 and CVE-2021-21220.

CVE-2021-21220 is an issue in v8 and it was demonstrated last week at the Pwn2Own 2021 hacking competition by Bruno Keith and Niklas Baumstark of Dataflow Security. Keith and Baumstark earned $100,000 at Pwn2Own after demonstrating a remote code execution exploit that worked against both Edge and Chrome.

Advertisement. Scroll to continue reading.

However, a few days after the competition ended, 18-year-old researcher Rajvardhan Agarwal made public a PoC exploit for CVE-2021-21220. Agarwal analyzed the changes made by Chromium developers to v8 in response to the vulnerability disclosed by Keith and Baumstark, which enabled him to develop an exploit for it. Google had at that point developed a patch, but it had not been pushed out to regular Chrome users.

Agarwal told SecurityWeek that he released his exploit, which also works only if the Chrome sandbox is disabled or bypassed, to demonstrate that it’s “still possible to develop weaponized exploits during the patch-gapping period.” Frust also pointed out the security risks associated with patch-gapping in his blog post.

Patch-gapping refers to exploiting open source software vulnerabilities that have already been fixed by developers — or are in the process of being patched — before the actual patch is shipped to regular users.

“I find it impressive how quickly someone was able to find these vulnerabilities in Chromium’s public bug tracker and devise an exploit for them,” Kolsek told SecurityWeek.

When it patched CVE-2021-21206 and CVE-2021-21220 on Tuesday, Google said it had been “aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild.”

Microsoft has also patched CVE-2021-21220 in its Edge web browser this week, but the vulnerability disclosed by Frust remains unfixed.

Chrome 90 patches

According to Google, Chrome 90 brings 37 security fixes, including a high-severity use-after-free bug that earned security researchers at Chinese tech company Tencent $20,000. It also addresses a use-after-free flaw discovered by researcher David Erceg, which earned him $10,000.

Two use-after-free bugs in the Blink browser engine were also assigned a high severity rating, earning the reporting researchers $5,000 and $1,000, respectively.

There are also a couple of high-severity vulnerabilities, reported by researchers at Microsoft and Qihoo 360, for which Google has yet to determine a reward. The remaining vulnerabilities patched in Chrome 90 have been rated medium or low severity.

Related: Chrome 89 Patches Actively Exploited Vulnerability

Related: Google Chrome Zero-Day Under Attack, Again

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.