CVE-2021-30524 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-30524?

CVE-2021-30524 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Chrome's TabStrip component that allows heap corruption. Attackers can exploit it by convincing users to install a malicious extension and then visiting a crafted HTML page. Users of Chrome versions prior to 91.0.4472.77 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's TabStrip component that allows heap corruption. Attackers can exploit it by convincing users to install a malicious extension and then visiting a crafted HTML page. Users of Chrome versions prior to 91.0.4472.77 are affected.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 91.0.4472.77

Operating Systems: Windows, Linux, macOS, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires both a malicious extension and crafted HTML page. Standard Chrome installations are vulnerable.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or installation of persistent malware.

🟠

Likely Case

Browser crash, memory corruption, or limited code execution within the browser sandbox.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if malicious extensions are prevented from being installed.

🌐 Internet-Facing: HIGH - Exploitation requires user interaction but can be triggered via web content.

🏢 Internal Only: MEDIUM - Requires user to install malicious extension, which is less likely in controlled environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to install malicious extension plus crafted HTML page. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 91.0.4472.77 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click menu (three dots) > Help > About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click Relaunch to restart Chrome with the update.

🔧 Temporary Workarounds

Disable extension installation

all

Prevent users from installing extensions to block the initial attack vector.

chrome://settings/extensions > Toggle 'Allow extensions from other stores' to OFF
Use Group Policy to restrict extension installation

Use Chrome Enterprise policies

all

Configure policies to block malicious extensions and restrict browser behavior.

Configure ExtensionInstallBlocklist and ExtensionInstallForcelist policies

🧯 If You Can't Patch

Restrict extension installation permissions to trusted sources only.
Implement web filtering to block access to potentially malicious HTML pages.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 91.0.4472.77, the system is vulnerable.

Check Version:

On Chrome: chrome://version | On command line: google-chrome --version

Verify Fix Applied:

Confirm Chrome version is 91.0.4472.77 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with TabStrip-related errors
Unexpected extension installation events in system logs

Network Indicators:

Requests to known malicious domains hosting crafted HTML pages
Unusual extension update traffic

SIEM Query:

source="chrome_crash_reports" AND (message="TabStrip" OR message="use-after-free")

📊 Metadata

CVE ID: CVE-2021-30524

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 7, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html Release Notes,Vendor Advisory
https://crbug.com/1197146 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/
https://security.gentoo.org/glsa/202107-06 Third Party Advisory
https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html Release Notes,Vendor Advisory
https://crbug.com/1197146 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/
https://security.gentoo.org/glsa/202107-06 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30524, you might also want to check these: