CVE-2021-21108 – This is a critical use-after-free vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-21108?

CVE-2021-21108 has a CVSS score of 9.6 (CRITICAL). This is a critical use-after-free vulnerability in Google Chrome's media component that allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. Attackers could execute arbitrary code with the privileges of the Chrome process, potentially gaining full system access. All users running Chrome versions prior to 87.0.4280.141 are affected.

📋 TL;DR

This is a critical use-after-free vulnerability in Google Chrome's media component that allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. Attackers could execute arbitrary code with the privileges of the Chrome process, potentially gaining full system access. All users running Chrome versions prior to 87.0.4280.141 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 87.0.4280.141

Operating Systems: Windows, Linux, macOS, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Chromium-based browsers may also be affected depending on their codebase.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise - attacker gains complete control over the victim's system, can install malware, steal data, and pivot to other systems.

🟠

Likely Case

Sandbox escape leading to arbitrary code execution with Chrome process privileges, enabling persistence, credential theft, and lateral movement.

🟢

If Mitigated

Limited impact if Chrome sandbox is properly configured and system-level protections exist, though renderer compromise still possible.

🌐 Internet-Facing: HIGH - Attackers can exploit via crafted HTML pages delivered through web browsing, email, or malicious ads.

🏢 Internal Only: MEDIUM - Requires initial renderer compromise which could occur through internal web applications or phishing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires renderer process compromise first, then sandbox escape. The bug ID 1155426 suggests active exploitation was occurring.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 87.0.4280.141 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click Relaunch to restart Chrome with the updated version.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious JavaScript that could trigger the vulnerability

chrome://settings/content/javascript

Use Site Isolation

all

Enhances sandboxing by isolating each site in separate processes

chrome://flags/#enable-site-per-process

🧯 If You Can't Patch

Restrict Chrome usage to trusted websites only
Implement application whitelisting to prevent unauthorized Chrome execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 87.0.4280.141, system is vulnerable.

Check Version:

chrome://version/ or 'google-chrome --version' on Linux

Verify Fix Applied:

Confirm Chrome version is 87.0.4280.141 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with media-related processes
Unusual Chrome child process creation patterns
Sandbox escape attempts in system logs

Network Indicators:

Requests to known exploit domains
Unusual outbound connections from Chrome processes

SIEM Query:

process_name:"chrome.exe" AND (event_id:1000 OR event_id:1001) AND description:"media" OR process_name:"chrome.exe" AND parent_process NOT IN ("explorer.exe", "chrome.exe")

📊 Metadata

CVE ID: CVE-2021-21108

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: January 8, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1155426 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
https://security.gentoo.org/glsa/202101-05 Third Party Advisory
https://www.debian.org/security/2021/dsa-4832 Third Party Advisory
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1155426 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
https://security.gentoo.org/glsa/202101-05 Third Party Advisory
https://www.debian.org/security/2021/dsa-4832 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21108, you might also want to check these: