High
CVE-2021-21193
CVE-2021-21193
Description
Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Add Assessment
Technical Analysis
Reported as exploited in the wild at https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html and at https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html.
This bug seems to have scarce details from what I can tell online, however it appears to be a UAF bug within Blink that was reported by an anonymous researcher on 2021-03-09. The details for this bug are currently locked so that only Google employees can access it, but should it be opened to the public the details will be at https://bugs.chromium.org/p/chromium/issues/detail?id=1186287.
As per usual the advice to protect against UAF bugs in browsers is to disable JavaScript on untrusted websites via a plugin such as NoScript. Since most UAF’s require JavaScript to be enabled to conduct exploitation, this will act as an effective mitigation in most cases, but users should not rely on this as their sole protection mechanism.
It is interesting to see that this is the third 0day exploited in the wild this year in Chrome, alongside CVE-2021-21166, a object lifecycle issue in the audio component, and CVE-2021-21148, a heap buffer overflow within the V8 scripting engine. Time will tell if this trend continues though, but it is interesting to see such an regular cadence of vulnerabilities being exploited in the wild.
CVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- fedoraproject,
Products
- chrome,
- debian linux 10.0,
- fedora 32
Exploited in the Wild
References
