CVE-2021-21146 – This is a use-after-free vulnerability in Googl... (How to Fix)

Q: What is the severity of CVE-2021-21146?

CVE-2021-21146 has a CVSS score of 9.6 (CRITICAL). This is a use-after-free vulnerability in Google Chrome's navigation component that allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. Attackers could execute arbitrary code with elevated privileges on affected systems. All users running vulnerable versions of Chrome are affected.

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's navigation component that allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. Attackers could execute arbitrary code with elevated privileges on affected systems. All users running vulnerable versions of Chrome are affected.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 88.0.4324.146

Operating Systems: Windows, Linux, macOS, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires renderer process compromise first, typically via another vulnerability. Chrome's sandbox must be enabled (default).

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via sandbox escape leading to arbitrary code execution with system-level privileges, potentially enabling ransomware deployment, data theft, or persistent backdoor installation.

🟠

Likely Case

Attackers who have already compromised the renderer process (via other vulnerabilities) can escalate privileges to escape the sandbox and execute code with higher privileges, potentially accessing system resources and files.

🟢

If Mitigated

With proper controls like Chrome's sandbox enabled and up-to-date antivirus, exploitation would be limited to the sandboxed process, preventing system-wide compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires chaining with another vulnerability to first compromise the renderer process. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 88.0.4324.146 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the updated version.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to prevent exploitation of renderer process vulnerabilities that could chain with this issue.

chrome://settings/content/javascript → toggle off

Use Site Isolation

all

Ensure site isolation is enabled to limit impact of renderer process compromises.

chrome://flags/#site-isolation-trial-opt-out → set to 'Disabled'

🧯 If You Can't Patch

Disable Chrome or switch to alternative browser until patched.
Implement application whitelisting to block Chrome execution.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if version is less than 88.0.4324.146, system is vulnerable.

Check Version:

chrome://version

Verify Fix Applied:

Confirm Chrome version is 88.0.4324.146 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with navigation-related errors
Unexpected Chrome renderer process termination
Security event logs showing Chrome privilege escalation attempts

Network Indicators:

Unusual outbound connections from Chrome processes
Traffic to known exploit hosting domains

SIEM Query:

source="chrome" AND (event_type="crash" OR process_name="chrome.exe" AND parent_process!="explorer.exe")

📊 Metadata

CVE ID: CVE-2021-21146

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: February 9, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1161705 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ACWYJ74Z3YN2XH4QMUEGNBC3VXX464L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUQSMNV7INLDDSD3RKI5S5EAULX2QC7P/
https://security.gentoo.org/glsa/202104-08 Third Party Advisory
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1161705 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ACWYJ74Z3YN2XH4QMUEGNBC3VXX464L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUQSMNV7INLDDSD3RKI5S5EAULX2QC7P/
https://security.gentoo.org/glsa/202104-08 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21146, you might also want to check these: