Google has fixed four high-risk vulnerabilities in Chrome, one of which has been exploited by attackers already.
This is the sixth Chrome vulnerability that is known to have been exploited in the wild in 2021, according to a spreadsheet maintained by Google researchers. The flaw is fixed in Chrome 91.0.4472.114, which Google released on June 17.
The vulnerability that attackers have exploited is CVE-2021-30554, a use-after-free in the WebGL component of Chromium. WebGL is an API that’s used to render graphics in the browser. The flaw also affects Microsoft Edge, which is based on Chromium.
As is typical whenever it releases a patch for a flaw that has been exploited, Google did not release any details about the exploit or who is targeting the vulnerability. Google usually waits until most of the Chrome user base has updated to the latest version before it releases those details.
In addition to the zero day in WebGL, the new version of Chrome also includes fixes for three other use-after-free vulnerabilities, all of which are considered high risks. One of the vulnerabilities is in sharing, one is in WebAudio, and the third is in TabGroups.