Cyber Resilience

CVE-2021-30554

HighCISA KEVActive ExploitationEUVD Exploited

Published: 02 July 2021

Published
02 July 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0582 90.7th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30554 is a high-severity Use After Free (CWE-416) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a use-after-free flaw (CWE-416) in the WebGL component of Google Chrome versions prior to 91.0.4472.114. It can result in heap corruption when processing certain inputs, as indicated by the CVSS 3.1 base score of 8.8.

A remote attacker can exploit the issue by serving a crafted HTML page to a victim who visits it in an affected browser. Successful exploitation may allow the attacker to corrupt heap memory and achieve impacts including disclosure of sensitive information, modification of data, or denial of service.

Chrome stable channel updates and downstream advisories from Fedora and Gentoo recommend upgrading to version 91.0.4472.114 or later to address the flaw. No information on observed in-the-wild exploitation is provided in the references.

EU & UK References

Vulnerability details

Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 91.0.4472.114
fedoraproject
fedora
33, 34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of security-relevant patches to eliminate the use-after-free flaw in WebGL.

prevent

Enforces memory-safety protections that mitigate use-after-free and resulting heap corruption during WebGL processing.

prevent

Allows disabling or restricting the WebGL feature to block the attack vector on systems where it is not required.

References