⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-21206Use After Free in Google Chrome

CWE-416Use After Free13 documents10 sources
Severity
8.8HIGHNVD
EPSS
21.9%
top 4.22%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Google ChromeChromiumDebian Chromium+3 more
Timeline
PublishedApr 26
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5google/chromeunspecified89.0.4389.128
NVDgoogle/chrome< 89.0.4389.128
debiandebian/chromium< chromium 90.0.4430.72-1 (bookworm)
Debianchromium/chromium< 90.0.4430.72-1+3

Also affects: Fedora 32, 33, 34

🔴Vulnerability Details

5
GHSA
GHSA-g8g5-f7qq-6h9m: Use after free in Blink in Google Chrome prior to 892022-05-24
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
OSV
CVE-2021-21206: Use after free in Blink in Google Chrome prior to 892021-04-26
VulnCheck
Google Chromium Blink Use-After-Free Vulnerability2021
Project0
Project Zero RCA: CVE-2021-21206: Chrome Use-After-Free in Animations

📋Vendor Advisories

4
CISA
Google Chromium Blink Use-After-Free Vulnerability2021-11-03
Chrome
Stable Channel Update for Desktop: CVE-2021-212062021-04-13
Microsoft
Chromium: CVE-2021-21206 Use after free in Blink2021-04-13
Debian
CVE-2021-21206: chromium - Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote...2021

🕵️Threat Intelligence

3
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys2022-02-23
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-012021-11-09
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys2021-11-09