CVE-2021-21193 - Vulnerability Details - OpenCVE

ReportizFlow

Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is in the KEV database since Nov. 3, 2021.

Exploitation active

Automatable no

Technical Impact total

Vendors	Products
Debian	Debian Linux
Fedoraproject	Fedora
Google	Chrome

Configuration 1 [-]

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html
https://crbug.com/1186287
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/
https://security.gentoo.org/glsa/202104-08
https://www.debian.org/security/2021/dsa-4886

History

Tue, 21 Oct 2025 20:30:00 +0000

Type	Values Removed	Values Added
References	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21193

Tue, 21 Oct 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21193

Wed, 29 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2021-11-03'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2021-03-16T14:10:18.000Z

Updated: 2025-10-21T19:54:07.724Z

Reserved: 2020-12-21T00:00:00.000Z

Link: CVE-2021-21193

Vulnrichment

Updated: 2024-08-03T18:01:14.303Z

NVD

Status : Modified

Published: 2021-03-16T15:15:13.157

Modified: 2025-10-21T20:18:16.980

Link: CVE-2021-21193

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Chrome", "vendor": "Google", "versions": [{"lessThan": "89.0.4389.90", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."}], "problemTypes": [{"descriptions": [{"description": "Use after free", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-01T01:07:55.000Z", "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html"}, {"tags": ["x_refsource_MISC"], "url": "https://crbug.com/1186287"}, {"name": "DSA-4886", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4886"}, {"name": "FEDORA-2021-141d8640ce", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/"}, {"name": "GLSA-202104-08", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202104-08"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2021-21193", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Chrome", "version": {"version_data": [{"version_affected": "<", "version_value": "89.0.4389.90"}]}}]}, "vendor_name": "Google"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use after free"}]}]}, "references": {"reference_data": [{"name": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html", "refsource": "MISC", "url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html"}, {"name": "https://crbug.com/1186287", "refsource": "MISC", "url": "https://crbug.com/1186287"}, {"name": "DSA-4886", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4886"}, {"name": "FEDORA-2021-141d8640ce", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/"}, {"name": "GLSA-202104-08", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202104-08"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:01:14.303Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crbug.com/1186287"}, {"name": "DSA-4886", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4886"}, {"name": "FEDORA-2021-141d8640ce", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/"}, {"name": "GLSA-202104-08", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202104-08"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-21193", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-29T16:54:07.301199Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-11-03", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21193"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "timeline": [{"time": "2021-11-03T00:00:00+00:00", "lang": "en", "value": "CVE-2021-21193 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T19:54:07.724Z"}}]}, "cveMetadata": {"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "assignerShortName": "Chrome", "cveId": "CVE-2021-21193", "datePublished": "2021-03-16T14:10:18.000Z", "dateReserved": "2020-12-21T00:00:00.000Z", "dateUpdated": "2025-10-21T19:54:07.724Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://crbug.com/1186287", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.debian.org/security/2021/dsa-4886", "name": "DSA-4886", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/", "name": "FEDORA-2021-141d8640ce", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202104-08", "name": "GLSA-202104-08", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:01:14.303Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-21193", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-29T16:54:07.301199Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-11-03", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21193"}}}], "timeline": [{"lang": "en", "time": "2021-11-03T00:00:00+00:00", "value": "CVE-2021-21193 added to CISA KEV"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T16:51:55.638Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "89.0.4389.90", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html", "tags": ["x_refsource_MISC"]}, {"url": "https://crbug.com/1186287", "tags": ["x_refsource_MISC"]}, {"url": "https://www.debian.org/security/2021/dsa-4886", "name": "DSA-4886", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/", "name": "FEDORA-2021-141d8640ce", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://security.gentoo.org/glsa/202104-08", "name": "GLSA-202104-08", "tags": ["vendor-advisory", "x_refsource_GENTOO"]}], "descriptions": [{"lang": "en", "value": "Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Use after free"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2021-05-01T01:07:55.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "89.0.4389.90", "version_affected": "<"}]}, "product_name": "Chrome"}]}, "vendor_name": "Google"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html", "name": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html", "refsource": "MISC"}, {"url": "https://crbug.com/1186287", "name": "https://crbug.com/1186287", "refsource": "MISC"}, {"url": "https://www.debian.org/security/2021/dsa-4886", "name": "DSA-4886", "refsource": "DEBIAN"}, {"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/", "name": "FEDORA-2021-141d8640ce", "refsource": "FEDORA"}, {"url": "https://security.gentoo.org/glsa/202104-08", "name": "GLSA-202104-08", "refsource": "GENTOO"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use after free"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-21193", "STATE": "PUBLIC", "ASSIGNER": "[email protected]"}}}}, "cveMetadata": {"cveId": "CVE-2021-21193", "state": "PUBLISHED", "dateUpdated": "2025-10-21T19:54:07.724Z", "dateReserved": "2020-12-21T00:00:00.000Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2021-03-16T14:10:18.000Z", "assignerShortName": "Chrome"}, "dataVersion": "5.1"}

{"cisaActionDue": "2021-11-17", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Google Chromium Blink Use-After-Free Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "66251C61-17B9-4437-B3D7-75A75BCCE0FD", "versionEndExcluding": "89.0.4389.90", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."}, {"lang": "es", "value": "Un uso de la memoria previamente liberada en Blink en Google Chrome versiones anteriores a 89.0.4389.90, permit\u00eda a un atacante remoto explotar la corrupci\u00f3n de la pila por medio de una p\u00e1gina HTML dise\u00f1ada"}], "id": "CVE-2021-21193", "lastModified": "2025-10-21T20:18:16.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-03-16T15:15:13.157", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html"}, {"source": "[email protected]", "tags": ["Permissions Required"], "url": "https://crbug.com/1186287"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-08"}, {"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4886"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://crbug.com/1186287"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-08"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4886"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}