CVE-2021-21193
Published: 16 March 2021
Summary
CVE-2021-21193 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability CVE-2021-21193 is a use-after-free flaw in the Blink component of Google Chrome versions prior to 89.0.4389.90. Classified under CWE-416, the issue can result in heap corruption.
A remote attacker can exploit the flaw by serving a crafted HTML page to a target user. With no privileges required and only user interaction needed to visit the page, successful exploitation can yield high impact on confidentiality, integrity, and availability.
Chrome release information and distribution advisories direct users to apply the fix by upgrading to version 89.0.4389.90 or later, with updated packages provided for Fedora, Gentoo, and Debian.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-8584
Vulnerability details
Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of security-relevant patches to remediate the use-after-free flaw by upgrading Chrome to 89.0.4389.90 or later.
Restricts execution of mobile code (HTML/JS) from untrusted sources, limiting the attack vector of a crafted HTML page that triggers the Blink flaw.
Deploys malicious-code protection mechanisms that can block or detect web content attempting to exploit the heap-corruption vulnerability.