Skip to main content

Microsoft patches active zero-day Chromium flaw in Edge

representational image of a cloud firewall
(Image credit: Pixabay)

A fix for a severe vulnerability in Google’s Chromium web browser that was reportedly being exploited in the wild has now been applied to the stable branch of the Microsoft Edge browser.

The vulnerability, tracked as CVE-2021-21193, was reported by an anonymous security researcher earlier in March. Google rushed out a patch for Google Chrome soon after, and now Microsoft has rolled it into its Chromium-based Edge browser too.

“Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild,” noted the search engine giant as it released an update for Google Chrome to address the vulnerability as well as a couple of others.

The vulnerability, which ranks 8.8 out of 10 in the CVSS vulnerability rating scale, making it high-severity, exists in the Blink rendering engine.

It’s described as a use-after-free vulnerability, which experts suggest exists due to the incorrect use of dynamic memory during the execution of an app, which is the Blink rendering engine in this case.

Reportedly, due to Blink’s inability to properly clear its memory, it allowed an attacker to execute arbitrary code or corrupt data. Google however didn’t share any details about how the vulnerability was being exploited, apart from stating that it was aware of the flaw being used by hackers.

Microsoft has now followed Google’s stead and has released patches for the Blink vulnerability in the stable channel of its Edge web browser, which is powered by the same Blink engine as Google’s Chrome.

Via: MSPowerUser