CVE-2021-30554
Published: 02 July 2021
Summary
CVE-2021-30554 is a high-severity Use After Free (CWE-416) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a use-after-free flaw (CWE-416) in the WebGL component of Google Chrome versions prior to 91.0.4472.114. It can result in heap corruption when processing certain inputs, as indicated by the CVSS 3.1 base score of 8.8.
A remote attacker can exploit the issue by serving a crafted HTML page to a victim who visits it in an affected browser. Successful exploitation may allow the attacker to corrupt heap memory and achieve impacts including disclosure of sensitive information, modification of data, or denial of service.
Chrome stable channel updates and downstream advisories from Fedora and Gentoo recommend upgrading to version 91.0.4472.114 or later to address the flaw. No information on observed in-the-wild exploitation is provided in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17475
Vulnerability details
Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of security-relevant patches to eliminate the use-after-free flaw in WebGL.
Enforces memory-safety protections that mitigate use-after-free and resulting heap corruption during WebGL processing.
Allows disabling or restricting the WebGL feature to block the attack vector on systems where it is not required.