CVE-2021-30633 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-30633?

CVE-2021-30633 has a CVSS score of 9.6 (CRITICAL). This is a use-after-free vulnerability in Chrome's IndexedDB API that allows an attacker who has already compromised the renderer process to escape the browser sandbox. It affects Google Chrome versions prior to 93.0.4577.82. Users visiting malicious websites could have their systems fully compromised.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's IndexedDB API that allows an attacker who has already compromised the renderer process to escape the browser sandbox. It affects Google Chrome versions prior to 93.0.4577.82. Users visiting malicious websites could have their systems fully compromised.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 93.0.4577.82

Operating Systems: Windows, Linux, macOS, Android

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all standard Chrome installations. Sandbox must be enabled (default).

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise - attacker gains full control of the victim's machine through sandbox escape, enabling installation of malware, data theft, and persistence.

🟠

Likely Case

Remote code execution on the victim's system, allowing attacker to execute arbitrary code with user privileges.

🟢

If Mitigated

Limited to renderer process compromise only, preventing system-level access if sandbox holds.

🌐 Internet-Facing: HIGH - Exploitable via visiting malicious websites, no authentication required.

🏢 Internal Only: MEDIUM - Requires user interaction (visiting malicious page), but internal users could be targeted via phishing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires renderer process compromise first, then leverages this bug for sandbox escape. Exploit chain needed for full impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 93.0.4577.82

Vendor Advisory: https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome menu > Help > About Google Chrome. 2. Chrome will automatically check for updates and install version 93.0.4577.82 or later. 3. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, but breaks most websites.

chrome://settings/content/javascript > Block

Use Site Isolation

all

Ensure site isolation is enabled to limit renderer process compromise scope.

chrome://flags/#site-isolation-trial-opt-out > Disabled

🧯 If You Can't Patch

Restrict web browsing to trusted sites only using browser policies
Deploy application allowlisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: chrome://version and verify it's below 93.0.4577.82

Check Version:

google-chrome --version (Linux) or check chrome://version

Verify Fix Applied:

Confirm Chrome version is 93.0.4577.82 or higher via chrome://version

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with renderer process termination
Unexpected child process creation from Chrome

Network Indicators:

Connections to known malicious domains from Chrome processes
Unusual outbound traffic patterns

SIEM Query:

process_name:chrome.exe AND (event_id:1 OR parent_process_name:chrome.exe) AND command_line CONTAINS "--type=renderer"

📊 Metadata

CVE ID: CVE-2021-30633

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: October 8, 2021

Last Updated: October 24, 2025

🔗 References

https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html Release Notes
https://crbug.com/1247766 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/ Release Notes
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html Release Notes
https://crbug.com/1247766 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/ Release Notes
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30633 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30633, you might also want to check these: