8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.034 Low
EPSS
Percentile
90.3%
Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Recent assessments:
gwillcox-r7 at March 15, 2021 6:18am UTC reported:
Reported as exploited in the wild at <https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html> and at <https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>.
This bug seems to have scarce details from what I can tell online, however it appears to be a UAF bug within Blink that was reported by an anonymous researcher on 2021-03-09. The details for this bug are currently locked so that only Google employees can access it, but should it be opened to the public the details will be at <https://bugs.chromium.org/p/chromium/issues/detail?id=1186287>.
As per usual the advice to protect against UAF bugs in browsers is to disable JavaScript on untrusted websites via a plugin such as NoScript. Since most UAFโs require JavaScript to be enabled to conduct exploitation, this will act as an effective mitigation in most cases, but users should not rely on this as their sole protection mechanism.
It is interesting to see that this is the third 0day exploited in the wild this year in Chrome, alongside CVE-2021-21166, a object lifecycle issue in the audio component, and CVE-2021-21148, a heap buffer overflow within the V8 scripting engine. Time will tell if this trend continues though, but it is interesting to see such an regular cadence of vulnerabilities being exploited in the wild.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3
chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html
crbug.com/1186287
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21193
lists.fedoraproject.org/archives/list/[email protected]/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ/
security.gentoo.org/glsa/202104-08
thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html
www.debian.org/security/2021/dsa-4886
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.034 Low
EPSS
Percentile
90.3%