CVE-2021-21106 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-21106?

CVE-2021-21106 has a CVSS score of 9.6 (CRITICAL). This is a use-after-free vulnerability in Chrome's autofill feature that allows an attacker who has already compromised the renderer process to escape the browser sandbox. It affects users running Google Chrome versions prior to 87.0.4280.141. Successful exploitation could lead to full system compromise.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's autofill feature that allows an attacker who has already compromised the renderer process to escape the browser sandbox. It affects users running Google Chrome versions prior to 87.0.4280.141. Successful exploitation could lead to full system compromise.

💻 Affected Systems

Products:

Google Chrome

Versions: Versions prior to 87.0.4280.141

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Chrome installations with default settings. Chromium-based browsers may also be affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine through sandbox escape.

🟠

Likely Case

Limited impact requiring prior renderer compromise, but could enable privilege escalation and persistence.

🟢

If Mitigated

Minimal impact if Chrome is fully patched and running with security controls like sandboxing enabled.

🌐 Internet-Facing: HIGH - Attackers can deliver exploit via malicious websites.

🏢 Internal Only: MEDIUM - Requires user interaction with malicious content.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires prior renderer compromise, making it a second-stage exploit for sandbox escape.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 87.0.4280.141

Vendor Advisory: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, but breaks most websites.

Use Chrome Enterprise policies

all

Configure Chrome via Group Policy or MDM to restrict autofill functionality.

🧯 If You Can't Patch

Restrict user access to untrusted websites using web filtering solutions.
Implement application whitelisting to prevent unauthorized code execution.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings → About Chrome. If version is less than 87.0.4280.141, system is vulnerable.

Check Version:

google-chrome --version (Linux) or navigate to chrome://version

Verify Fix Applied:

Confirm Chrome version is 87.0.4280.141 or higher in About Chrome.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption signatures
Unexpected process creation from Chrome

Network Indicators:

Unusual outbound connections from Chrome processes
Traffic to known malicious domains

SIEM Query:

source="chrome" AND (event_type="crash" OR process_name="chrome.exe" AND parent_process!="explorer.exe")

📊 Metadata

CVE ID: CVE-2021-21106

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: January 8, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1148749 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
https://security.gentoo.org/glsa/202101-05 Third Party Advisory
https://www.debian.org/security/2021/dsa-4832 Third Party Advisory
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1148749 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
https://security.gentoo.org/glsa/202101-05 Third Party Advisory
https://www.debian.org/security/2021/dsa-4832 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21106, you might also want to check these: