CVE-2021-30625
published 2021-10-08CVE-2021-30625: Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who convinced the user the visit a malicious website to…
PriorityP354high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
10.13%
95.1th percentile
Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who convinced the user the visit a malicious website to potentially exploit heap corruption via a crafted HTML page.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| debian | chromium | < chromium 93.0.4577.82-1 (bookworm) | chromium 93.0.4577.82-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 93.0.4577.82 | 93.0.4577.82 | |
| chrome | >= unspecified < 93.0.4577.82 | 93.0.4577.82 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Chromium: CVE-2021-30625 Use after free in Selection API
vendor_msrc·2021-09-14·CVSS 8.8
CVE-2021-30625 [HIGH] Chromium: CVE-2021-30625 Use after free in Selection API
Chromium: CVE-2021-30625 Use after free in Selection API
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
93.0.961.52
9/16/2021
93.0.4577.82
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CV
Chrome
Stable Channel Update for Desktop: CVE-2021-30625
vendor_chrome·2021-09-13·CVSS 8.8
CVE-2021-30625 [HIGH] Stable Channel Update for Desktop: CVE-2021-30625
Stable Channel Update for Desktop
CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06 [$7500][ 1241036 ] High CVE-2021-30626: Out of bounds memory access in ANGLE
Reported by Jeonghoon Shin of Theori on 2021-08-18 [$5000][ 1245786 ] High CVE-2021-30627: Type Confusion in Blink layout
Severity: high
Debian
CVE-2021-30625: chromium - Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a...
vendor_debian·2021·CVSS 8.8
CVE-2021-30625 [HIGH] CVE-2021-30625: chromium - Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a...
Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who convinced the user the visit a malicious website to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 93.0.4577.82-1)
bullseye: resolved (fixed in 93.0.4577.82-1)
forky: resolved (fixed in 93.0.4577.82-1)
sid: resolved (fixed in 93.0.4577.82-1)
trixie: resolved (fixed in 93.0.4577.82-1)
GHSA
GHSA-vxhq-cfwm-48pw: Use after free in Selection API in Google Chrome prior to 93
ghsa_unreviewed·2022-05-24
CVE-2021-30625 [HIGH] CWE-416 GHSA-vxhq-cfwm-48pw: Use after free in Selection API in Google Chrome prior to 93
Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who convinced the user the visit a malicious website to potentially exploit heap corruption via a crafted HTML page.
OSV
CVE-2021-30625: Use after free in Selection API in Google Chrome prior to 93
osv·2021-10-08·CVSS 8.8
CVE-2021-30625 [HIGH] CVE-2021-30625: Use after free in Selection API in Google Chrome prior to 93
Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who convinced the user the visit a malicious website to potentially exploit heap corruption via a crafted HTML page.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution
blogs_talos·2021-12-01·CVSS 8.8
CVE-2021-30625 [HIGH] Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution
Marcin Towalski of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.
Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that other software developers use to build their browsers, as well. This specific vulnerability exists in Blink, the main DOM parsing and rendering engine at the core of Chromium. TALOS-2021-1352 (CVE-2021-30625) is a use-after-free vulnerability that triggers if the user opens a specially crafted web page in Chrome. That page could trigger the reuse of previously freed memory, which can lead to arbitrary code execution.
Cisco Talos worked with Google to ensure that this issue is resolved and an update is available for affected cus
Talos
Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution
blogs_talos·2021-12-01·CVSS 8.8
[HIGH] Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution
## Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution
Marcin Towalski of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.
Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that other software developers use to build their browsers, as well. This specific vulnerability exists in Blink, the main DOM parsing and rendering engine at the core of Chromium. TALOS-2021-1352 (CVE-2021-30625) is a use-after-free vulnerability that triggers if the user opens a specially crafted web page in Chrome. That page could trigger the reuse of previously freed memory, which can lead to arbitrary code execution.
Cisco Talos
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/1237533https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1352https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/1237533https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1352
2021-10-08
Published