Search
On this page ▾
CVE-2021-21193 — Google Chromium Blink Use-After-Free Vulnerability

CVE-2021-21193

Chrome Blink Rendering Engine — Use-After-Free Zero-Day Enables Remote Code Execution via Malicious Web Page; Third Chrome Zero-Day of Q1 2021
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

Blink is Chrome's HTML rendering engine — the component that parses HTML/CSS, builds and manages the Document Object Model (DOM), handles web page layout, and manages the lifecycle of all page objects and JavaScript bindings. As the largest and most complex component of Chrome, Blink processes an enormous variety of web content from untrusted sources. Use-after-free vulnerabilities in Blink arise when DOM objects, rendering objects, or event handlers are freed while JavaScript or another Blink component still holds references to them — a common occurrence in the complex object lifecycle of modern web page rendering. Blink UAF bugs are a primary source of Chrome zero-days because they are discoverable through fuzzing, reliably triggerable via JavaScript, and provide strong memory corruption primitives.

Overview

CVE-2021-21193 is a use-after-free vulnerability (CWE-416) in the Chrome Blink rendering engine. Google patched this in Chrome 89.0.4389.90 (March 12, 2021) — the third Chrome zero-day of Q1 2021, following CVE-2021-21148 (February) and CVE-2021-21166 (March 2). Google confirmed an exploit existed in the wild at the time of patch. The vulnerability allows a remote attacker to exploit heap corruption via a crafted HTML page, achieving code execution in the Chrome renderer. CISA added it to the KEV catalog in November 2021.

Affected Versions

Product Vulnerable Fixed
Chrome before 89.0.4389.90 Yes Chrome 89.0.4389.90 (March 12, 2021)
Microsoft Edge (Chromium) before equivalent Yes Edge update following Chrome 89
Opera and other Chromium-based browsers Yes Corresponding vendor updates

Technical Details

  • Root cause: Use-after-free (CWE-416) in Blink — a DOM-related object or rendering object is freed while a JavaScript reference or Blink internal reference remains active; subsequent access through the stale pointer corrupts Chrome's renderer heap, creating memory read/write primitives for code execution
  • Heap corruption exploitation: By controlling the content that occupies the freed object's memory location (through JavaScript heap grooming), an attacker achieves type confusion — the freed object's memory is interpreted as a different type, enabling controlled memory access at attacker-influenced offsets
  • Renderer code execution: Code execution occurs in Chrome's renderer process — sandboxed via Chrome's multi-process architecture; full OS compromise requires an additional sandbox escape (typically a kernel exploit or a Chrome browser process vulnerability)
  • Q1 2021 Chrome zero-day density: CVE-2021-21193 was the third Chrome zero-day in under two months (21148 in February, 21166 on March 2, 21193 on March 12) — reflecting either a period of intensive exploitation by sophisticated actors or concurrent use by multiple independent threat actors

Discovery

Reported to Google as an in-the-wild zero-day. Google's March 12, 2021 release notes confirmed "exploit exists in the wild." The rapid cadence of Chrome zero-days in early 2021 suggests active exploitation by multiple threat actors or a single actor with a pipeline of Chrome vulnerabilities.

Exploitation Context

The density of Chrome zero-days in Q1 2021 — three in approximately six weeks — reflects the high value of Chrome renderer exploits and the sophistication of actors willing to deploy multiple zero-days in a short period. Chrome zero-days are used in: (1) targeted surveillance operations against specific high-value individuals, (2) watering hole attacks against specific communities, and (3) commercial exploit kit delivery for broader criminal operations. The November 2021 CISA KEV addition for all three Q1 2021 Chrome zero-days reflects their continued exploitation against unpatched Chrome installations after the patches were released.

Remediation

  1. Update Chrome to 89.0.4389.90 or later — any current Chrome release contains the fix; verify at chrome://settings/help
  2. Update Microsoft Edge, Opera, and all Chromium-based browsers separately — Chrome updates do not propagate to other browsers
  3. Enable automatic Chrome updates and verify no enterprise policy blocks update delivery
  4. Apply all three Q1 2021 Chrome security patches: CVE-2021-21148 (89.0.4389.72), CVE-2021-21166 (89.0.4389.72), and CVE-2021-21193 (89.0.4389.90)
  5. Enable Chrome's Enhanced Safe Browsing for additional protection against malicious sites
  6. Ensure Chrome sandboxing is active — do not use --no-sandbox startup flags, which dramatically increase the impact of Blink UAF exploitation

Key Details

PropertyValue
CVE ID CVE-2021-21193
Vendor / Product Google — Chromium Blink
NVD Published2021-03-16
NVD Last Modified2025-10-24
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-416 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2021-11-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2021-11-17. Apply updates per vendor instructions.

Timeline

DateEvent
2021-03-12Google releases Chrome 89.0.4389.90 patching CVE-2021-21193 — zero-day, 'exploit exists in the wild'
2021-03-16CVE published
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2021-11-17CISA BOD 22-01 remediation deadline

References

ResourceType
Chrome Stable Channel Update — Chrome 89.0.4389.90 Vendor Advisory
NVD — CVE-2021-21193 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML