CVE-2021-21115 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-21115?

CVE-2021-21115 has a CVSS score of 9.6 (CRITICAL). This is a use-after-free vulnerability in Chrome's safe browsing component that allows a compromised renderer process to escape the browser sandbox. Attackers could execute arbitrary code with elevated privileges by tricking users into visiting malicious websites. All Chrome users on versions before 87.0.4280.141 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's safe browsing component that allows a compromised renderer process to escape the browser sandbox. Attackers could execute arbitrary code with elevated privileges by tricking users into visiting malicious websites. All Chrome users on versions before 87.0.4280.141 are affected.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 87.0.4280.141

Operating Systems: Windows, Linux, macOS, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All Chrome installations with safe browsing enabled (default) are vulnerable. Requires renderer process compromise first.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attacker gains full control of the victim's machine, installs malware, steals credentials, and accesses sensitive data.

🟠

Likely Case

Attacker escapes Chrome sandbox to execute arbitrary code with user-level privileges, potentially installing ransomware, keyloggers, or joining botnets.

🟢

If Mitigated

With updated Chrome, no impact as the vulnerability is patched. With proper network controls, malicious sites may be blocked before exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires chaining with another vulnerability to compromise renderer first, then this vulnerability enables sandbox escape.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 87.0.4280.141

Vendor Advisory: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome 2. Click menu (three dots) → Help → About Google Chrome 3. Chrome will automatically check for and install updates 4. Click 'Relaunch' to restart Chrome

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to prevent exploitation, but breaks most websites

chrome://settings/content/javascript → Block

Use alternative browser

all

Switch to updated alternative browser until Chrome is patched

🧯 If You Can't Patch

Implement network filtering to block known malicious domains
Restrict user privileges and implement application whitelisting

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: chrome://version and verify it's below 87.0.4280.141

Check Version:

chrome://version

Verify Fix Applied:

Confirm Chrome version is 87.0.4280.141 or higher

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with safe browsing component
Unusual process creation from Chrome sandbox

Network Indicators:

Connections to known malicious domains triggering safe browsing
Unusual outbound traffic from Chrome processes

SIEM Query:

process_name:chrome.exe AND (parent_process:chrome.exe OR command_line:*--type=renderer*) AND event_type:process_creation

📊 Metadata

CVE ID: CVE-2021-21115

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: January 8, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1157814 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
https://security.gentoo.org/glsa/202101-05 Third Party Advisory
https://www.debian.org/security/2021/dsa-4832 Third Party Advisory
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1157814 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
https://security.gentoo.org/glsa/202101-05 Third Party Advisory
https://www.debian.org/security/2021/dsa-4832 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21115, you might also want to check these: