Cyber Resilience

CVE-2021-4102

HighCISA KEVActive ExploitationEUVD Exploited

Published: 11 February 2022

Published
11 February 2022
Modified
24 October 2025
KEV Added
15 December 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0546 90.4th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-4102 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability is a use-after-free flaw (CWE-416) in the V8 JavaScript engine within Google Chrome versions prior to 96.0.4664.110. Successful exploitation can result in heap corruption, as reflected in the CVSS 3.1 base score of 8.8.

A remote attacker can trigger the issue by convincing a user to visit a specially crafted HTML page, after which the attacker may achieve arbitrary code execution or other impacts on the affected system.

Chrome stable channel updates released in December 2021 address the flaw by advancing the browser to version 96.0.4664.110. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.

EU & UK References

Vulnerability details

Use after free in V8 in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
15 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 96.0.4664.110

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that advances Chrome to 96.0.4664.110 and eliminates the use-after-free in V8.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes execution of mobile code (JavaScript) that a remote attacker uses to trigger the V8 flaw via a crafted HTML page.

preventdetect

Deploys malicious-code protection mechanisms capable of blocking or alerting on exploit payloads that target the known Chrome vulnerability.

References