CVE-2021-21166

Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Recent assessments:

gwillcox-r7 at March 08, 2021 5:47pm UTC reported:

Reported as exploited in the wild at <https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/&gt; and at <https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html&gt;.

Details are still scant on this vulnerability as they are being withheld by Google until more people have patched the issue, which was fixed in Chrome 89.0.4389.72. All that we know is that the bug is labeled as an Object lifecycle issue in audio and was found by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-11.

Given the description of this vulnerability as well as its link to a similar vulnerability exploited in the wild in the past (see <https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/&gt;), its likely that this is a UAF vulnerability. Given the one used in <https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/&gt; was a bug in the same component which was then used in the WizardOpium attacks, its likely that this vulnerability will lead to full compromise of the system given past history.

Users are encouraged to disable JavaScript where possible, particularly for untrusted sites, as this is often needed in order to successfully exploit UAF vulnerabilities in the browser. However this is only a temporary fix, and it is strongly encouraged that users instead upgrade to Chrome 89.0.4389.72 or later, Given there is already active exploitation of this vulnerability, and given the history of bugs within this component, there is a good possibility that we may see more widespread exploitation of this issue in the near future.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3