Cyber Resilience

CVE-2021-21166

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 March 2021

Published
09 March 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3798 97.3th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21166 is a high-severity Race Condition (CWE-362) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

The vulnerability is a data race in the audio component of Google Chrome, tracked as CWE-362, that affects all versions prior to 89.0.4389.72. The flaw can result in heap corruption when processing certain inputs.

A remote attacker can exploit the issue by convincing a user to visit a crafted HTML page. Successful exploitation may allow the attacker to achieve heap corruption with high impact on confidentiality, integrity, and availability, as reflected in the CVSS 8.8 score requiring only user interaction and no other privileges.

The referenced Chrome stable channel update and Fedora package advisories indicate that the issue is resolved by upgrading to Chrome 89.0.4389.72 or later, with corresponding updates distributed through standard package channels for affected Linux distributions. No information on observed in-the-wild exploitation is provided in the references.

EU & UK References

Vulnerability details

Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 89.0.4389.72
fedoraproject
fedora
32, 33, 34
debian
debian linux
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Chrome 89.0.4389.72 patch that eliminates the data-race flaw.

prevent

Enforces memory-protection mechanisms that can block or contain the heap corruption resulting from the data race.

detect

Requires scanning to discover installations of Chrome versions prior to 89.0.4389.72 that contain the audio-component flaw.

References