CVE-2021-21156 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-21156?

CVE-2021-21156 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code or cause denial of service via heap corruption in Chrome's V8 JavaScript engine. All users running vulnerable versions of Google Chrome are affected when visiting malicious websites.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code or cause denial of service via heap corruption in Chrome's V8 JavaScript engine. All users running vulnerable versions of Google Chrome are affected when visiting malicious websites.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 88.0.4324.182

Operating Systems: Windows, Linux, macOS, Android, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Enterprise deployments with older versions are at highest risk.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment

🟠

Likely Case

Browser crash (denial of service) or limited code execution within browser sandbox

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked by security controls

🌐 Internet-Facing: HIGH - Exploitable via visiting malicious websites, no authentication required

🏢 Internal Only: MEDIUM - Could be exploited via internal phishing or compromised internal sites

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept exploit code is publicly available. Exploitation requires JavaScript execution in victim's browser.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 88.0.4324.182 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html

Restart Required: Yes

Instructions:

1. Open Chrome menu > Help > About Google Chrome. 2. Chrome will automatically check for updates. 3. If update is available, click 'Update Google Chrome'. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution

chrome://settings/content/javascript > Block

Use Chrome Enterprise policies

all

Restrict browser capabilities via Group Policy or management console

Configure via Chrome Enterprise policies: https://support.google.com/chrome/a/answer/9025856

🧯 If You Can't Patch

Use alternative browser temporarily
Implement web filtering to block known malicious sites

🔍 How to Verify

Check if Vulnerable:

Check Chrome version via chrome://settings/help or chrome://version

Check Version:

google-chrome --version (Linux) or open chrome://version in browser

Verify Fix Applied:

Confirm Chrome version is 88.0.4324.182 or higher

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Unexpected browser termination events
Security event logs showing exploit attempts

Network Indicators:

Traffic to known exploit domains
Suspicious JavaScript payloads in web traffic

SIEM Query:

source="chrome" AND (event_type="crash" OR message="*V8*" OR message="*heap*overflow*")

📊 Metadata

CVE ID: CVE-2021-21156

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: February 22, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162579/Chrome-Array-Transfer-Bypass.html Third Party Advisory,VDB Entry
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html Release Notes,Vendor Advisory
https://crbug.com/1177341 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BI6ZIJQYP5DFMYVX4J5OGOU2NQLEZ3SB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX/
https://security.gentoo.org/glsa/202104-08 Third Party Advisory
http://packetstormsecurity.com/files/162579/Chrome-Array-Transfer-Bypass.html Third Party Advisory,VDB Entry
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html Release Notes,Vendor Advisory
https://crbug.com/1177341 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BI6ZIJQYP5DFMYVX4J5OGOU2NQLEZ3SB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX/
https://security.gentoo.org/glsa/202104-08 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21156, you might also want to check these: