CVE-2021-21166
Published: 09 March 2021
Summary
CVE-2021-21166 is a high-severity Race Condition (CWE-362) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
The vulnerability is a data race in the audio component of Google Chrome, tracked as CWE-362, that affects all versions prior to 89.0.4389.72. The flaw can result in heap corruption when processing certain inputs.
A remote attacker can exploit the issue by convincing a user to visit a crafted HTML page. Successful exploitation may allow the attacker to achieve heap corruption with high impact on confidentiality, integrity, and availability, as reflected in the CVSS 8.8 score requiring only user interaction and no other privileges.
The referenced Chrome stable channel update and Fedora package advisories indicate that the issue is resolved by upgrading to Chrome 89.0.4389.72 or later, with corresponding updates distributed through standard package channels for affected Linux distributions. No information on observed in-the-wild exploitation is provided in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-8557
Vulnerability details
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the Chrome 89.0.4389.72 patch that eliminates the data-race flaw.
Enforces memory-protection mechanisms that can block or contain the heap corruption resulting from the data race.
Requires scanning to discover installations of Chrome versions prior to 89.0.4389.72 that contain the audio-component flaw.