CVE-2021-30562 – This vulnerability is a use-after-free memory c... (How to Fix)

Q: What is the severity of CVE-2021-30562?

CVE-2021-30562 has a CVSS score of 8.8 (HIGH). This vulnerability is a use-after-free memory corruption flaw in Chrome's WebSerial API that allows attackers to potentially execute arbitrary code or cause denial of service. It affects all users running Chrome versions prior to 91.0.4472.164. Attackers can exploit this by tricking users into visiting a malicious webpage.

📋 TL;DR

This vulnerability is a use-after-free memory corruption flaw in Chrome's WebSerial API that allows attackers to potentially execute arbitrary code or cause denial of service. It affects all users running Chrome versions prior to 91.0.4472.164. Attackers can exploit this by tricking users into visiting a malicious webpage.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 91.0.4472.164

Operating Systems: Windows, macOS, Linux, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WebSerial API to be enabled (default in Chrome). Mobile Chrome versions may also be affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure.

🟢

If Mitigated

No impact if Chrome is fully patched or WebSerial API is disabled.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites that users might visit.

🏢 Internal Only: MEDIUM - Could be exploited via internal phishing campaigns or compromised internal sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious page) and knowledge of heap manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 91.0.4472.164 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the patched version.

🔧 Temporary Workarounds

Disable WebSerial API

all

Disable the vulnerable WebSerial API via Chrome flags

Navigate to chrome://flags/#enable-experimental-web-platform-features
Set to 'Disabled'
Relaunch Chrome

Use Chrome Enterprise policies

all

Disable WebSerial via group policy for enterprise deployments

Set SerialAllowAllPortsForUrls policy to empty list
Set SerialAllowUsbDevicesForUrls policy to empty list

🧯 If You Can't Patch

Use alternative browsers without WebSerial support until patching is possible
Implement network filtering to block malicious websites and restrict internet browsing

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if below 91.0.4472.164, system is vulnerable

Check Version:

On Chrome: chrome://version/ or 'google-chrome --version' in terminal

Verify Fix Applied:

Confirm Chrome version is 91.0.4472.164 or higher

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with WebSerial-related stack traces
Unexpected Chrome process termination

Network Indicators:

Requests to suspicious domains with serial API parameters
Unusual WebSocket or serial port communication

SIEM Query:

source="chrome_logs" AND (event="crash" OR event="exception") AND process="chrome" AND message="*WebSerial*"

📊 Metadata

CVE ID: CVE-2021-30562

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: August 3, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1220078 Permissions Required,Vendor Advisory
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://crbug.com/1220078 Permissions Required,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30562, you might also want to check these: