Google has released Chrome update 89.0.4389.128, which fixes two vulnerabilities (CVE-2021-21206, CVE-2021-21220) for which working exploits are available (0-day). Vulnerability CVE-2021-21220 was used to hack Chrome at the Pwn2Own 2021 competition.
The exploitation of this vulnerability is carried out through the execution of WebAssembly code in a certain way (the vulnerability is caused by an error in the WebAssembly virtual machine, which allows writing or reading data at an arbitrary address in memory). At the same time, it is noted that the shown exploit does not allow bypassing the sandbox isolation, and for a full-fledged attack, the detection of another vulnerability to exit the sandbox is required (at the Pwn2Own 2021 competition, such a vulnerability was demonstrated for Windows).
An example exploit for this problem was published on GitHub after a fix was made to the V8 engine, but without waiting for a browser update to be generated based on it (even if the exploit had not been published, attackers were able to recreate it based on analysis of changes in the V8 repository, which has already happened earlier due to a situation where a fix in V8 has already been published, but products based on it have not yet been updated).
Additionally, we can note the shift in the publication schedule for the release of Chrome 90 for Linux, Windows and macOS. This release was scheduled for April 13, but was not published yesterday, and only the Android version was released. An additional beta release of Chrome 90 was formed today. No new release date has been announced.
Source: opennet.ru