Cyber Resilience

CVE-2021-21206

HighCISA KEVActive ExploitationEUVD Exploited

Published: 26 April 2021

Published
26 April 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1753 95.2th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21206 is a high-severity Use After Free (CWE-416) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability CVE-2021-21206 is a use-after-free flaw in the Blink rendering engine within Google Chrome versions prior to 89.0.4389.128. Classified as CWE-416, the issue can lead to heap corruption when processing untrusted input.

A remote attacker can trigger the flaw by serving a crafted HTML page to a victim, achieving exploitation with no privileges required beyond user interaction such as visiting the page. The CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability.

Chrome release notes and Fedora advisories direct users to apply the stable channel update to version 89.0.4389.128 or later, with corresponding package updates issued for affected distributions to resolve the vulnerability.

EU & UK References

Vulnerability details

Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 89.0.4389.128
fedoraproject
fedora
32, 33, 34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Chrome 89.0.4389.128 patch that eliminates the use-after-free in Blink.

prevent

OS-level memory protection mechanisms can block or contain the heap corruption that results from the use-after-free.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes mobile code (HTML/JS) delivered by untrusted pages, limiting the attack vector that triggers the flaw.

References