A security researcher has shared a zero-day vulnerability found in the Chromium engine, which powers popular browsers like Microsoft Edge and Google’s Chrome. The proof-of-concept code chained with other vulnerabilities can let an attacker execute a remote code even in the latest version of these browsers. He says the bug was now secured in Chromium, but yet to arrive for Chrome.

Chromium Zero-day Vulnerability

A security researcher named Rajvardhan Agarwal has shared a proof-of-concept work on Twitter recently, explaining the exploitation of a zero-day vulnerability in the V8 JavaScript engine in Chromium. As Chromium is the core used by many browsers like Microsoft Edge and Google Chrome, exploiting it can be disastrous.

The zero-day he discovered would let an attacker perform a remote code execution attack, and can compromise a system. Agarwal’s PoC HTML file included with a JavaScript file can trigger the vulnerability in a Chromium-based browser when loaded into it and launches the Windows calculator (calc.exe) program.

A good thing here is that the exploit cannot escape a sandbox situation, and needs the help of additional bugs to overcome. Thus sandbox environments available in Chrome can easily thwart the exploitation and avoid remote code execution attacks. BleepingComputer has tested his zero-day discovery with sandbox disabled in Chrome and Edge browsers and succeeding in performing the attack.

This is reported to happen even in the latest stable versions of Chrome (v89.0.4389.114) and Edge (v89.0.774.76) browsers, thus a patch should be coming soon. Agarwal said a patch for this is already made available in Chromium but should be rolling to Chrome browser yet.

As Google is preparing to launch the v90 of Chrome tomorrow, we wait to check whether this zero-day vulnerability is patched or not. This zero-day is reportedly the same bug disclosed by researchers Bruno Keith and Niklas Baumstark from Dataflow Security, at Pwn2Own 2021 event.


Please enter your comment!
Please enter your name here