Google LLC on Thursday released an update for Chrome to fix a high-severity security vulnerability in the browser that’s believed to be exploited by hackers.

The update, the search giant detailed in a brief blog post, will roll out to users over the coming days and weeks.

Google has filed the vulnerability under the tag CVE-2021-21148 in the CVE database, a system maintained by the federally funded, nonprofit Mitre Corp. that helps the cybersecurity community track software exploits. However, Google is not sharing in-depth technical details with the cybersecurity community for now in a bid to give users time to download the update. 

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Srinivas Sista, a technical program manager with the Chrome team, wrote in the blog post. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

Though a detailed technical description is not available, Google did share a high-level overview of the vulnerability. Security researcher Mattias Buelens notified Google of the issue on Jan. 24 and the search giant is “aware of reports that an exploit for CVE-2021-21148 exists in the wild.” The vulnerability is considered to be of high severity.

The little technical information Google did share includes the detail that CVE-2021-21148 affects Chrome’s V8 JavaScript engine. V8 is responsible for translating web pages’ JavaScript code, which powers interactive page elements such as buttons, into low-level machine code that the processor in the user’s computer can understand.

The vulnerability, according to Google, facilitates a so-called heap buffer overflow attack. Such attacks override parts of an application’s memory that are normally off-limits to carry out malicious actions like installing malware or modifying data. 

Google occasionally releases security updates for Chrome to patch vulnerabilities spotted by its engineers or external researchers. Previously, in November, the company released a patch for two separate security issues affecting the browser. One was in the V8 JavaScript engine while the other involved Site Isolation, a Chrome component that prevents attempts by malicious websites to steal user data from a web page the user has opened in another tab.

Image: Google