Google on Thursday night started to roll out an update for Chrome that patches two use-after-free vulnerabilities, one of them having at least one exploit in the wild.

Both security issues are serious as they could be leveraged to take control of a vulnerable system, reads an alert from the Cybersecurity and Infrastructure Security Agency (CISA).

Exploit in the wild

Google says it is aware that one of the flaws has an exploit in the wild. This bug received the tracking number CVE-2019-13720 and is in the audio component of the web browser.

Kaspersky Lab malware researchers Anton Ivanov, head of the advanced threats research and detection team, and Alexey Kulaev, senior malware analyst, are credited for reporting the vulnerability on October 29.

A second use-after-free vulnerability, identified as CVE-2019-13721, was reported by on October 12 by bug hunter bananapenguin, who received a bounty of $7,500.

A direct effect of triggering a use-after-free (UAF) vulnerability is typically a crash but in certain circumstances, this type of memory corruption problem may be exploited to execute arbitrary code.

Taking advantage of these bugs is not easy. They occur when a program continues to use a pointer to memory that has already been freed.

The Open Web Application Security Project (OWASP) lists the following causes for a UAF glitch, which are also valid for other memory-related issues like double-free errors and leaks:

Error conditions and other exceptional circumstances

Confusion over which part of the program is responsible for freeing the memory

Details for the bugs are not publicly available at the moment. As a rule, Google restricts access to this information until the patch is installed for most users.

The severity level for both vulnerabilities is considered high and a fix for them is delivered with Google Chrome 78.0.3904.87, available for Windows, Mac, and Linux users. The update will reach the entire user base of the browser in the coming days, possibly weeks, Google informs in a blog post.