CVE-2021-21206
Published: 26 April 2021
Summary
CVE-2021-21206 is a high-severity Use After Free (CWE-416) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability CVE-2021-21206 is a use-after-free flaw in the Blink rendering engine within Google Chrome versions prior to 89.0.4389.128. Classified as CWE-416, the issue can lead to heap corruption when processing untrusted input.
A remote attacker can trigger the flaw by serving a crafted HTML page to a victim, achieving exploitation with no privileges required beyond user interaction such as visiting the page. The CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability.
Chrome release notes and Fedora advisories direct users to apply the stable channel update to version 89.0.4389.128 or later, with corresponding package updates issued for affected distributions to resolve the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-8597
Vulnerability details
Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the Chrome 89.0.4389.128 patch that eliminates the use-after-free in Blink.
OS-level memory protection mechanisms can block or contain the heap corruption that results from the use-after-free.
Restricts or sandbox-executes mobile code (HTML/JS) delivered by untrusted pages, limiting the attack vector that triggers the flaw.