What is the CVE-2021-21193 vulnerability?

If you use Google Chrome on any of your devices, it is urgent that you update it immediately.

There are frequent Google Chrome updates, but the most recent patch, stable build 89.0.4389.90, patches several vulnerabilities, three of which have a high severity rating, and one of which has already been exploited by cybercriminals and hackers.

Specifically, this vulnerability comes from Google Chrome’s browser engine, Blink, a piece that translates HTML code into the Web page that you actually see in your browser. This vulnerability, known as a use-after-free vulnerability, relates to incorrect usage of dynamic memory during a program operation. Basically, Blink was having trouble clearing the browser memory.

While this seems trivial and mundane, a use-after-free vulnerability’s most common consequences are data corruption and arbitrary code execution, which, according to the National Vulnerability Database’s description of the CVE-2021-21193 vulnerability itself can allow “a remote attacker to potentially exploit heap corruption via a crafted HTML page.”

How to update Google Chrome

Google started deploying the update across all internet-connected users (and if you’re using Google Chrome, you are most likely on the internet) on March 12th. The update button will appear in the upper right corner of your browser. It’s an arrow pointing up inside a green circle, and it looks like this:

It might take a few days before it appears, despite Google’s expedited rollout, but you can apply the update manually.

Just click the three-dot button in the upper right corner of your browser. Select Settings and then About Chrome. If your browser says 89.0.4389.90 or later, then you already have the patch. If the final number is lower than .90, the browser will ask you if you want to let the browser update itself by relaunching. Upon reopening Chrome, it will restore any tabs you previously had open, so there’s no reason not to check (and update) as soon as possible.

The big takeaway from the CVE-2021-21193 vulnerability

Google usually doesn’t release information about vulnerabilities until after they have been patched, and the CVE-2021-21193 vulnerability was patched no more than three days after it was reported by an anonymous security researcher, which most likely means that the vulnerability had already been exploited in a real-world situation. A good rule of thumb is that if a giant tech company like Google is taking a security problem seriously, so should the rest of us.

But there’s another important takeaway here, which is that these tech giants, and their products, aren’t perfect; like the rest of us, they, too, are part of the constant race to keep systems and tools secure for end-users like you. It is absolutely vital to keep your software patched with the latest updates from their developers, as the most recent updates are the ones that have been crafted to minimize the threat of rapidly evolving and advancing cyber threats.