Cyber Resilience

CVE-2021-21193

HighCISA KEVActive ExploitationEUVD Exploited

Published: 16 March 2021

Published
16 March 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1375 94.4th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21193 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability CVE-2021-21193 is a use-after-free flaw in the Blink component of Google Chrome versions prior to 89.0.4389.90. Classified under CWE-416, the issue can result in heap corruption.

A remote attacker can exploit the flaw by serving a crafted HTML page to a target user. With no privileges required and only user interaction needed to visit the page, successful exploitation can yield high impact on confidentiality, integrity, and availability.

Chrome release information and distribution advisories direct users to apply the fix by upgrading to version 89.0.4389.90 or later, with updated packages provided for Fedora, Gentoo, and Debian.

EU & UK References

Vulnerability details

Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 89.0.4389.90
fedoraproject
fedora
32
debian
debian linux
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of security-relevant patches to remediate the use-after-free flaw by upgrading Chrome to 89.0.4389.90 or later.

SC-18 Mobile Code partial match
prevent

Restricts execution of mobile code (HTML/JS) from untrusted sources, limiting the attack vector of a crafted HTML page that triggers the Blink flaw.

preventdetect

Deploys malicious-code protection mechanisms that can block or detect web content attempting to exploit the heap-corruption vulnerability.

References