CVE-2021-4102
Published: 11 February 2022
Summary
CVE-2021-4102 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability is a use-after-free flaw (CWE-416) in the V8 JavaScript engine within Google Chrome versions prior to 96.0.4664.110. Successful exploitation can result in heap corruption, as reflected in the CVSS 3.1 base score of 8.8.
A remote attacker can trigger the issue by convincing a user to visit a specially crafted HTML page, after which the attacker may achieve arbitrary code execution or other impacts on the affected system.
Chrome stable channel updates released in December 2021 address the flaw by advancing the browser to version 96.0.4664.110. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-33987
Vulnerability details
Use after free in V8 in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 15 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that advances Chrome to 96.0.4664.110 and eliminates the use-after-free in V8.
Restricts or authorizes execution of mobile code (JavaScript) that a remote attacker uses to trigger the V8 flaw via a crafted HTML page.
Deploys malicious-code protection mechanisms capable of blocking or alerting on exploit payloads that target the known Chrome vulnerability.