Google has released an emergency fix for a vulnerability in Chrome that hackers are already exploiting. CVE-2021-21224 is the fourth zero-day Chrome vulnerability discovered in 2021, and the continued lack of indicators of compromise or any meaningful information about attacks continues to cause confusion among security experts.
According to Google's notice, the patch addresses seven vulnerabilities, but the company only provided one-line documentation and CVE IDs for five of them. CVE-2021-21224 is simply described as input mismatch in the V8 rendering engine. The problem was discovered by security researcher Jose Martinez.
"Google is aware of reports of exploits for CVE-2021-21224," the notice said.
The update for Chrome (90.0.4430.85) is distributed to Windows, Mac and Linux through an automatic update delivery mechanism. It also fixes buffer overflow vulnerabilities in V8, integer overflow in Mojo, and post-free memory usage in Navigation, as well as an out-of-bounds data access vulnerability.