Update Google Chrome now — important zero-day flaw exposed

Google Chrome
(Image credit: Shutterstock)

Google has pushed out a new version of Chrome for Windows, macOS and Linux to patch a zero-day flaw that is being actively exploited in the wild.

The update takes Chrome to version number 88.0.4324.150. You can check where your Chrome installation is by going to Settings (the three stacked dots in the upper right corner) > Help > About Google Chrome. Opening that page will force Chrome to update if it hasn't already.

Other browsers that share Chrome's code may not have caught up yet. At the time of this writing, Brave was still stuck on the previous version. Microsoft Edge had an update ready, but because its version-numbering scheme is different, we can't quite tell if it fixes the Chrome flaw.

Google didn't provide many details about the flaw being fixed in its Chrome release bulletin, but did say it addresses a "heap buffer overflow in V8," Chrome's JavaScript engine. That means the flaw lets a process overflow the memory limitations for JavaScript processes and then inject code into them.

The flaw has been given the catalog number CVE-2021-21148, and Google said it was "aware of reports that an exploit ... exists in the wild." 

The flaw was reported to Google by an independent security researcher named Mattias Buelens on Jan. 24. That was the day before Google disclosed a North Korean espionage campaign against security researchers that used flaws in Chrome and Internet Explorer, so there may be some connection.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.