Cyber Resilience

CVE-2021-30633

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 08 October 2021

Published
08 October 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.3006 96.8th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30633 is a critical-severity Use After Free (CWE-416) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2021-30633 is a use-after-free condition in the Indexed DB API implementation within Google Chrome versions prior to 93.0.4577.82. It is tracked as CWE-416 and affects the renderer process when handling specific database operations triggered by web content.

A remote attacker who has already gained control of the renderer process can leverage a crafted HTML page to trigger the flaw and escape the Chrome sandbox. Successful exploitation yields high impact across confidentiality, integrity, and availability, consistent with the CVSS 9.6 rating that assumes network access, low attack complexity, and required user interaction.

Chrome stable channel updates and corresponding Fedora package advisories direct users to upgrade to version 93.0.4577.82 or later to address the issue. No information on in-the-wild exploitation is present in the provided references.

EU & UK References

Vulnerability details

Use after free in Indexed DB API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 93.0.4577.82
fedoraproject
fedora
33, 35

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (Chrome 93.0.4577.82+) that eliminates the use-after-free in the IndexedDB renderer code.

prevent

Enforces separate execution domains between renderer processes and the browser kernel, blocking the sandbox escape that the compromised renderer attempts to achieve.

prevent

Implements memory-protection safeguards that reduce the exploitability of use-after-free conditions (CWE-416) in browser rendering components.

References