cbcvebase.
CVE-2021-21166
published 2021-03-09

CVE-2021-21166: Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
26.52%
97.8th percentile
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

13 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 89.0.4389.82-189.0.4389.82-1
chromiumchromium>= 0 < 89.0.4389.82-189.0.4389.82-1
chromiumchromium>= 0 < 89.0.4389.82-189.0.4389.82-1
chromiumchromium>= 0 < 89.0.4389.82-189.0.4389.82-1
debianchromium< chromium 89.0.4389.82-1 (bookworm)chromium 89.0.4389.82-1 (bookworm)
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 89.0.4389.7289.0.4389.72
googlechrome>= unspecified < 89.0.4389.7289.0.4389.72
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2021-21166 is a race condition (data race) in the audio component of Google Chromium, exploitable via a crafted HTML page leading to heap corruption. It has been confirmed exploited in the wild.
  • CVE-2021-21166 was exploited as part of Candiru's DevilsTongue spyware watering hole campaigns targeting high-value individuals; defenders should hunt for browser exploitation indicators on endpoints of politicians, journalists, human rights defenders, and other high-value targets.
  • ·The CVE is described as a 'data race in audio' in the NVD/Debian tracker, but the Chrome release blog and Microsoft MSRC describe it as an 'Object lifecycle issue in audio' — both refer to the same CVE-2021-21166.
  • ·The vulnerability affects all Chromium-based browsers below version 89.0.4389.72, not just Google Chrome — including Microsoft Edge and Opera.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.