CVE-2021-30535 – This vulnerability is a double-free memory corr... (How to Fix)

Q: What is the severity of CVE-2021-30535?

CVE-2021-30535 has a CVSS score of 8.8 (HIGH). This vulnerability is a double-free memory corruption flaw in Chrome's ICU library that allows remote attackers to potentially execute arbitrary code or cause denial of service. It affects Google Chrome users on all platforms who visit malicious websites. The vulnerability can be triggered through a crafted HTML page without user interaction.

📋 TL;DR

This vulnerability is a double-free memory corruption flaw in Chrome's ICU library that allows remote attackers to potentially execute arbitrary code or cause denial of service. It affects Google Chrome users on all platforms who visit malicious websites. The vulnerability can be triggered through a crafted HTML page without user interaction.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 91.0.4472.77

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All Chrome installations are vulnerable by default. ICU (International Components for Unicode) is a core Chrome component.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within sandboxed Chrome process.

🟢

If Mitigated

Browser crash only, with Chrome's sandbox preventing system-level compromise.

🌐 Internet-Facing: HIGH - Exploitable via visiting malicious websites, no authentication required.

🏢 Internal Only: MEDIUM - Requires user to visit malicious internal pages or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires bypassing Chrome's sandbox and ASLR for full RCE. Basic DoS is easier to achieve.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 91.0.4472.77

Vendor Advisory: https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html

Restart Required: Yes

Instructions:

1. Open Chrome 2. Click menu (three dots) → Help → About Google Chrome 3. Chrome will automatically check for and install update 4. Click 'Relaunch' to restart Chrome

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution in Chrome

chrome://settings/content/javascript → Toggle to 'Blocked'

Use Site Isolation

all

Enhances Chrome's site isolation to limit impact

chrome://flags/#enable-site-per-process → Enable

🧯 If You Can't Patch

Use alternative browsers until Chrome can be updated
Implement network filtering to block known malicious sites

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: chrome://version/ - if version is below 91.0.4472.77, system is vulnerable

Check Version:

google-chrome --version (Linux) or check chrome://version/ (all platforms)

Verify Fix Applied:

Confirm Chrome version is 91.0.4472.77 or higher via chrome://version/

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption errors
Unexpected Chrome process termination

Network Indicators:

Requests to known malicious domains serving exploit code
Unusual outbound connections after visiting suspicious sites

SIEM Query:

source="chrome" AND (event_type="crash" OR message="*double free*" OR message="*heap corruption*")

📊 Metadata

CVE ID: CVE-2021-30535

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-415

Published: June 7, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html Release Notes,Vendor Advisory
https://crbug.com/1194899 Exploit,Issue Tracking,Patch,Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/
https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html Release Notes,Vendor Advisory
https://crbug.com/1194899 Exploit,Issue Tracking,Patch,Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30535, you might also want to check these: