CVE-2021-21166
published 2021-03-09CVE-2021-21166: Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
26.52%
97.8th percentile
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 89.0.4389.82-1 | 89.0.4389.82-1 |
| chromium | chromium | >= 0 < 89.0.4389.82-1 | 89.0.4389.82-1 |
| chromium | chromium | >= 0 < 89.0.4389.82-1 | 89.0.4389.82-1 |
| chromium | chromium | >= 0 < 89.0.4389.82-1 | 89.0.4389.82-1 |
| debian | chromium | < chromium 89.0.4389.82-1 (bookworm) | chromium 89.0.4389.82-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 89.0.4389.72 | 89.0.4389.72 | |
| chrome | >= unspecified < 89.0.4389.72 | 89.0.4389.72 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-21166 is a race condition (data race) in the audio component of Google Chromium, exploitable via a crafted HTML page leading to heap corruption. It has been confirmed exploited in the wild. ↗
- →CVE-2021-21166 was exploited as part of Candiru's DevilsTongue spyware watering hole campaigns targeting high-value individuals; defenders should hunt for browser exploitation indicators on endpoints of politicians, journalists, human rights defenders, and other high-value targets. ↗
- ·The CVE is described as a 'data race in audio' in the NVD/Debian tracker, but the Chrome release blog and Microsoft MSRC describe it as an 'Object lifecycle issue in audio' — both refer to the same CVE-2021-21166. ↗
- ·The vulnerability affects all Chromium-based browsers below version 89.0.4389.72, not just Google Chrome — including Microsoft Edge and Opera. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q4f3-pjpv-9q5x: Data race in audio in Google Chrome prior to 89
ghsa_unreviewed·2022-05-24
CVE-2021-21166 [HIGH] CWE-119 GHSA-q4f3-pjpv-9q5x: Data race in audio in Google Chrome prior to 89
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
OSV
CVE-2021-21166: Data race in audio in Google Chrome prior to 89
osv·2021-03-09·CVSS 8.8
CVE-2021-21166 [HIGH] CVE-2021-21166: Data race in audio in Google Chrome prior to 89
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
VulnCheck
Google Chromium Race Condition Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-21166 [HIGH] CWE-122 Google Chromium Race Condition Vulnerability
Google Chromium Race Condition Vulnerability
Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/; https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilitie
Project0
Project Zero RCA: CVE-2021-21166: Chrome Object Lifecycle Issue in Audio
project_zero·CVSS 8.8
CVE-2021-21166 [HIGH] Project Zero RCA: CVE-2021-21166: Chrome Object Lifecycle Issue in Audio
# CVE-2021-21166: Chrome Object Lifecycle Issue in Audio
*Clement Lecigne, Google Threat Analysis Group*
## The Basics
**Disclosure or Patch Date:** 2 March 2021
**Product:** Google Chrome
**Advisory:**
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
**Affected Versions:** 89.0.4389.69 and previous
**First Patched Version:** 89.0.4389.72
**Issue/Bug Reports:**
* https://bugs.chromium.org/p/chromium/issues/detail?id=1174582
* https://bugs.chromium.org/p/chromium/issues/detail?id=1181341
* https://bugs.chromium.org/p/chromium/issues/detail?id=1177465
**Patch CL:**
* https://chromium.googlesource.com/chromium/src/+/60987aa224f369fc0ea38c56e498389440921356
* https://chromium.googlesource.com/chromium/src/+/b9e60ddc7606689e508f295077656389380288ba
CISA
Google Chromium Race Condition Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2021-21166 [HIGH] CWE-122 Google Chromium Race Condition Vulnerability
Vulnerability: Google Chromium Race Condition Vulnerability
Affected: Google Chromium
Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-21166
Remediation Due Date: 2021-11-17
Microsoft
Chromium CVE-2021-21166: Object lifecycle issue in audio
vendor_msrc·2021-03-09·CVSS 8.8
CVE-2021-21166 [HIGH] Chromium CVE-2021-21166: Object lifecycle issue in audio
Chromium CVE-2021-21166: Object lifecycle issue in audio
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
This CVE has been reported to be exploited in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
How can I see the version of the browser?
In yo
Chrome
Stable Channel Update for Desktop: CVE-2021-21165
vendor_chrome·2021-03-02·CVSS 8.8
CVE-2021-21165 [HIGH] Stable Channel Update for Desktop: CVE-2021-21165
Stable Channel Update for Desktop
CVE-2021-21165: Object lifecycle issue in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-04 [$TBD][ 1177465 ] High CVE-2021-21166: Object lifecycle issue in audio
Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-11 [$10000][ 1161144 ] Medium CVE-2021-21167: Use after free in bookmarks
Severity: high
Debian
CVE-2021-21166: chromium - Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attac...
vendor_debian·2021·CVSS 8.8
CVE-2021-21166 [HIGH] CVE-2021-21166: chromium - Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attac...
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 89.0.4389.82-1)
bullseye: resolved (fixed in 89.0.4389.82-1)
forky: resolved (fixed in 89.0.4389.82-1)
sid: resolved (fixed in 89.0.4389.82-1)
trixie: resolved (fixed in 89.0.4389.82-1)
No detection rules found.
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Top 10 most common families of ransomware Trojans
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Vulnerable applications used by cybercriminals during cyber attacks
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
SSH-based attacks
Threats loaded into traps
Attacks via web resources
Countries that are sources of web-based attacks: Top 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Autho
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2021:
- Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.
- 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.
- Ransomware att
Crowdstrike
Patch Tuesday 2021: A Vulnerability Deep Dive
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Patch Tuesday 2021: A Vulnerability Deep Dive
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Recorded Future
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
blogs_recorded_future
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
# Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Note: The analysis cut-off date for this report was June 26, 2025
## Executive Summary
Insikt Group identified new infrastructure associated with several clusters linked to the spyware vendor Candiru. This includes both victim-facing components likely used for deploying and controlling Candiru’s DevilsTongue spyware, as well as higher-tier operator infrastructure. DevilsTongue is a sophisticated, modular Windows malware. The clusters vary in design and administration, with some directly managing victim-facing systems, while others use intermediaries or the Tor network. Eight distinct clusters were identified, with five being likely still active, including those linked to Hungary and Saudi Arabia. One cluster tied to Indones
Crowdstrike
Patch Tuesday 2021: A Vulnerability Deep Dive
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Patch Tuesday 2021: A Vulnerability Deep Dive
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Recorded Future
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
blogs_recorded_future
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
## Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Note: The analysis cut-off date for this report was June 26, 2025
## Executive Summary
Insikt Group identified new infrastructure associated with several clusters linked to the spyware vendor Candiru. This includes both victim-facing components likely used for deploying and controlling Candiru’s DevilsTongue spyware, as well as higher-tier operator infrastructure. DevilsTongue is a sophisticated, modular Windows malware. The clusters vary in design and administration, with some directly managing victim-facing systems, while others use intermediaries or the Tor network. Eight distinct clusters were identified, with five being likely still active, including those linked to Hungary and Saudi Arabia. One cluster tied to Indone
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.htmlhttps://crbug.com/1177465https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT/https://security.gentoo.org/glsa/202104-08https://www.debian.org/security/2021/dsa-4886https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.htmlhttps://crbug.com/1177465https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT/https://security.gentoo.org/glsa/202104-08https://www.debian.org/security/2021/dsa-4886https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21166
2021-03-09
Published
2021-11-03
Added to CISA KEV
Exploited in the wild