Login Sign Up

CVE-2021-21203

8.8 HIGH

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's Blink rendering engine that allows remote attackers to potentially exploit heap corruption. Attackers can craft malicious HTML pages to trigger memory corruption, potentially leading to arbitrary code execution. All users running Chrome versions prior to 90.0.4430.72 are affected.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: All versions prior to 90.0.4430.72
Operating Systems: Windows, Linux, macOS, Android, Chrome OS
Default Config Vulnerable: ⚠️ Yes
Notes: All default Chrome configurations are vulnerable. Chromium-based browsers may also be affected depending on their Blink engine version.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the Chrome process, potentially leading to full system compromise if Chrome is running with elevated privileges.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within Chrome's sandbox, potentially allowing data theft or further exploitation.

🟢

If Mitigated

Browser crash with no data compromise if sandboxing works correctly and no additional vulnerabilities are chained.

🌐 Internet-Facing: HIGH - Attackers can exploit via malicious websites or ads without user interaction beyond visiting a page.
🏢 Internal Only: MEDIUM - Requires user to visit malicious internal web pages or click malicious links in emails.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Use-after-free vulnerabilities in browser engines are commonly exploited in the wild, but no specific weaponization evidence is publicly available for this CVE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 90.0.4430.72 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html

Restart Required: Yes

Instructions:

1. Open Chrome and click the three-dot menu. 2. Go to Help > About Google Chrome. 3. Chrome will automatically check for updates and install version 90.0.4430.72 or later. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to prevent exploitation via malicious HTML pages

chrome://settings/content/javascript

Use Site Isolation

all

Ensure site isolation is enabled to limit impact of potential exploitation

chrome://flags/#enable-site-per-process (ensure enabled)

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement network filtering to block malicious HTML content

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 90.0.4430.72, system is vulnerable.

Check Version:

google-chrome --version (Linux) or chrome://version (all platforms)

Verify Fix Applied:

Verify Chrome version is 90.0.4430.72 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports with memory corruption errors
  • Unexpected Chrome process termination

Network Indicators:

  • Requests to known malicious domains serving crafted HTML
  • Unusual outbound connections from Chrome processes

SIEM Query:

process_name:"chrome.exe" AND (event_id:1000 OR event_id:1001) AND description:"EXCEPTION_ACCESS_VIOLATION"

📊 Metadata

CVE ID: CVE-2021-21203
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: April 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21203, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)