CVE-2021-21112 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-21112?

CVE-2021-21112 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Chrome's Blink rendering engine that allows remote attackers to potentially execute arbitrary code or cause heap corruption. It affects all users running Chrome versions prior to 87.0.4280.141. Attackers can exploit this by tricking users into visiting a malicious webpage.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's Blink rendering engine that allows remote attackers to potentially execute arbitrary code or cause heap corruption. It affects all users running Chrome versions prior to 87.0.4280.141. Attackers can exploit this by tricking users into visiting a malicious webpage.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 87.0.4280.141

Operating Systems: Windows, macOS, Linux, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Extensions or security settings don't mitigate this.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within browser sandbox.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Attackers can host malicious pages on the internet and target any vulnerable Chrome user.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious page) but no authentication. Chrome's sandbox makes reliable exploitation challenging.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 87.0.4280.141 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click menu (three dots) → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the patched version.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation since the vulnerability requires JavaScript execution.

Use Chrome Enterprise policies

all

Block access to untrusted websites via URL blacklists or force Chrome updates.

🧯 If You Can't Patch

Restrict web browsing to trusted sites only using proxy or firewall rules.
Deploy application whitelisting to prevent unauthorized code execution.

🔍 How to Verify

Check if Vulnerable:

Open Chrome, go to chrome://version and check if version is below 87.0.4280.141.

Check Version:

google-chrome --version (Linux), 'About Google Chrome' in menu (Windows/macOS)

Verify Fix Applied:

Confirm Chrome version is 87.0.4280.141 or higher via chrome://version.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption signatures
Unexpected browser process termination

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual outbound connections after visiting suspicious sites

SIEM Query:

source="chrome_crash_logs" AND (message="heap corruption" OR message="use-after-free")

📊 Metadata

CVE ID: CVE-2021-21112

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: January 8, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1151298 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
https://security.gentoo.org/glsa/202101-05 Third Party Advisory
https://www.debian.org/security/2021/dsa-4832 Third Party Advisory
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1151298 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
https://security.gentoo.org/glsa/202101-05 Third Party Advisory
https://www.debian.org/security/2021/dsa-4832 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21112, you might also want to check these: