PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Google Patches 2 Actively Exploited Chrome Zero-Days

Along with six other vulnerabilities in the browser.

Nathaniel Mott
 & Nathaniel Mott Contributing Writer

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Google has released a new version of Chrome to fix seven security flaws in the popular browser—two of which are zero-day vulnerabilities that have already been exploited by hackers

All seven of the addressed vulnerabilities are considered High severity, which is the second-highest level in Google's severity guidelines. The company says its goal is to make patches related to High severity vulnerabilities available to all Chrome users in under 60 days.

Not all High severity bugs are created equal, however, and Google says it's "aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild." That means attackers have already found a way to use the vulnerabilities, but Google hasn't offered any details about those exploits.

The company says CVE-2021-38000 relates to "Insufficient validation of untrusted input in Intents." CVE-2021-38003, meanwhile, is described as an "Inappropriate implementation in V8." (Which is an open-source JavaScript and WebAssembly engine that's also used by Node.js.)

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

Google says CVE-2021-38000 was reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on Sept. 15; CVE-2021-38003 was reported by Lecigne and Google Project Zero's Samuel Groß on Oct. 26. The patches were released on Oct. 28.

Two of the vulnerabilities (CVE-2021-38001 and CVE-2021-38002) were reported by participants in the Tianfu Cup, a Chinese hacking competition where researchers showed off exploits in everything from Windows 10 and Adobe PDF Reader to iOS 15 and Chrome, earlier this month.

The remaining vulnerabilities were reported by Ashish Arun Dhone, Cassidy Kim of Amber Security Lab, and Wei Yuan of MoyunSec VLab between Sept. 21 and Oct. 14. The researchers were awarded bounties $1,000 and $10,000 for their disclosure of the security flaws.

Patches for all of these bugs arrived with Chrome 95.0.4638.69 for Windows, macOS, and Linux. The update can be manually installed via the About Google Chrome page in the Help section of the browser's menu; it will automatically "roll out over the coming days/weeks" to all users.

About Our Expert

Nathaniel Mott

Nathaniel Mott

Contributing Writer

I've been writing about tech, including everything from privacy and security to consumer electronics and startups, since 2011 for a variety of publications.

Read the latest from Nathaniel Mott

Read full bio