Emergency Google Chrome update fixes zero-day exploited in the wild

Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild.

"Google is aware that an exploit for CVE-2021-37973 exists in the wild," the browser vendor revealed in today's security advisory.

This Chrome update has started rolling out worldwide to the Stable desktop channel and will be available to all users over the following days and weeks.

The update was available immediately when BleepingComputer manually checked for new updates from Chrome menu > Help > About Google Chrome.

The web browser will also check for new updates and automatically update itself after the next launch.

Details regarding ongoing attacks not disclosed

The zero-day security flaw fixed today was reported the day the first Google Chrome 94 stable release was published, on September 21, by Clément Lecigne from Google TAG, with assistance from Sergei Glazunov and Mark Brand from Google Project Zero.

The bug, tracked as CVE-2021-37973, is a use after free weakness in Portals, Google's new web page navigation system for Chrome.

Successful exploitation of this vulnerability can let attackers execute arbitrary code on computers running unpatched Chrome versions.

Even though Google said it detected in the wild attacks abusing CVE-2021-37973, the company did not share additional info regarding these incidents.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

Chrome users should have enough time to install the security update to prevent exploitation attempts until more info is available.

Eleventh zero-day fixed this year

With this bug, Google has patched 11 zero-day vulnerabilities in the Chrome web browser since the start of 2021.

The other Chrome zero-day bugs Google fixed this year are:

CVE-2021-21148 - February 4th, 2021 CVE-2021-21166 - March 2nd, 2021 CVE-2021-21193 - March 12th, 2021 CVE-2021-21220 - April 13th, 2021 CVE-2021-21224 - April 20th, 2021 CVE-2021-30551 - June 9th, 2021 CVE-2021-30554 - June 17th, 2021 CVE-2021-30563 - July 15th, 2021 CVE-2021-30632 and CVE-2021-30633 - September 13th

Because these security bugs are all known to have been abused by threat actors in the wild, installing all Google Chrome updates is strongly recommended as soon as they are available.