CVE-2021-30552 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-30552?

CVE-2021-30552 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Chrome's extension system that allows heap corruption. Attackers can exploit it by tricking users into installing malicious extensions and visiting crafted HTML pages. All Chrome users prior to version 91.0.4472.101 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's extension system that allows heap corruption. Attackers can exploit it by tricking users into installing malicious extensions and visiting crafted HTML pages. All Chrome users prior to version 91.0.4472.101 are affected.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 91.0.4472.101

Operating Systems: Windows, Linux, macOS, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires both a malicious extension installation AND visiting a crafted HTML page. Extensions from Chrome Web Store are vetted, but sideloaded or developer mode extensions bypass this.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution, potentially leading to data theft, ransomware deployment, or complete system control.

🟠

Likely Case

Limited compromise of Chrome process leading to session hijacking, credential theft, or installation of additional malware.

🟢

If Mitigated

No impact if Chrome is updated to patched version and users don't install untrusted extensions.

🌐 Internet-Facing: HIGH - Attackers can host malicious HTML pages on the internet and trick users into visiting them.

🏢 Internal Only: MEDIUM - Requires user interaction (installing malicious extension and visiting crafted page), but internal phishing could facilitate this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to install malicious extension plus visiting crafted page. No public exploit code found in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 91.0.4472.101

Vendor Advisory: https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three dots menu → Help → About Google Chrome. 3. Chrome will automatically check for and install update. 4. Click 'Relaunch' to restart Chrome with updated version.

🔧 Temporary Workarounds

Disable Extension Installation

all

Prevent users from installing extensions via Group Policy or registry settings

Windows: Set 'ExtensionInstallBlocklist' policy to '*'
macOS/Linux: Use enterprise policies to block extension installation

Restrict Extension Sources

all

Only allow extensions from Chrome Web Store

Set 'ExtensionInstallSources' policy to only allow https://chrome.google.com/webstore/*

🧯 If You Can't Patch

Implement strict extension whitelisting policies
Deploy web filtering to block access to untrusted HTML content

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 91.0.4472.101, system is vulnerable.

Check Version:

chrome://version/ (in Chrome address bar) or 'google-chrome --version' (command line)

Verify Fix Applied:

Confirm Chrome version is 91.0.4472.101 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with extension-related memory errors
Unexpected extension installation events in system logs

Network Indicators:

Downloads of extensions from non-Chrome Web Store sources
HTTP requests to suspicious domains hosting crafted HTML

SIEM Query:

source="chrome_logs" AND (event="extension_install" AND source!="chrome.google.com") OR (event="crash" AND process="chrome" AND error="heap_corruption")

📊 Metadata

CVE ID: CVE-2021-30552

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 15, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1200679 Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/
https://security.gentoo.org/glsa/202107-06 Third Party Advisory
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1200679 Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/
https://security.gentoo.org/glsa/202107-06 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30552, you might also want to check these: