Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
4

CVE-2021-21193

Disclosure Date: March 16, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Add Assessment

3
Ratings
Technical Analysis

Reported as exploited in the wild at https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html and at https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html.

This bug seems to have scarce details from what I can tell online, however it appears to be a UAF bug within Blink that was reported by an anonymous researcher on 2021-03-09. The details for this bug are currently locked so that only Google employees can access it, but should it be opened to the public the details will be at https://bugs.chromium.org/p/chromium/issues/detail?id=1186287.

As per usual the advice to protect against UAF bugs in browsers is to disable JavaScript on untrusted websites via a plugin such as NoScript. Since most UAF’s require JavaScript to be enabled to conduct exploitation, this will act as an effective mitigation in most cases, but users should not rely on this as their sole protection mechanism.

It is interesting to see that this is the third 0day exploited in the wild this year in Chrome, alongside CVE-2021-21166, a object lifecycle issue in the audio component, and CVE-2021-21148, a heap buffer overflow within the V8 scripting engine. Time will tell if this trend continues though, but it is interesting to see such an regular cadence of vulnerabilities being exploited in the wild.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • debian,
  • fedoraproject,
  • google

Products

  • chrome,
  • debian linux 10.0,
  • fedora 32

Exploited in the Wild

Reported by:
Technical Analysis