What is Blink in Chrome?
Blink is Chrome's HTML rendering engine — the component responsible for parsing HTML and CSS, building the Document Object Model (DOM), handling CSS layout, managing DOM lifecycle events, and coordinating all web page rendering operations. Blink processes untrusted web content from every web page a user visits. Use-after-free vulnerabilities in Blink occur when DOM objects (HTML elements, event listeners, rendering objects) are freed while JavaScript or rendering code still holds live references — a common pattern in complex web rendering code that manages thousands of interrelated objects with complex lifetimes. UAF bugs in Blink are reliably exploitable for renderer code execution by controlling the freed memory's contents.
Overview
CVE-2021-21206 is a use-after-free vulnerability (CWE-416) in the Chrome Blink rendering engine. Google patched this in Chrome 89.0.4389.128 (April 13, 2021) as a zero-day — actively exploited in the wild before the patch. The vulnerability allows a remote attacker to exploit heap corruption via a crafted HTML page, achieving code execution in the Chrome renderer process. CVE-2021-21206 was patched in the same timeframe as V8 zero-days CVE-2021-21220 and CVE-2021-21224, suggesting a coordinated exploitation campaign using multiple browser zero-days. CISA added it to the KEV catalog in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Chrome before 89.0.4389.128 | Yes | Chrome 89.0.4389.128 (April 13, 2021) |
| Microsoft Edge (Chromium) before equivalent | Yes | Edge update following Chrome 89 |
| Opera and other Chromium-based browsers | Yes | Corresponding vendor updates |
Technical Details
- Root cause: Use-after-free (CWE-416) in Blink — a DOM object or rendering-related object is freed while JavaScript or another Blink component holds an active reference; attacker-controlled JavaScript triggers the stale pointer dereference, corrupting the Chrome renderer heap
- Heap corruption exploitation: By controlling the memory allocation that fills the freed object's location (heap grooming or spraying), the attacker places controlled data at the dangling pointer's address; when Blink subsequently accesses the freed object through the stale pointer, it processes attacker-controlled data as the original object type — enabling type confusion and ultimately read/write memory primitives
- Renderer code execution: Successful exploitation achieves code execution in the Chrome renderer process (sandboxed); to fully compromise the OS, a sandbox escape is typically required as a second stage
- Zero-day cluster: CVE-2021-21206 (Blink UAF) was patched around the same time as CVE-2021-21220 (V8 improper input validation) and CVE-2021-21224 (V8 type confusion) — the concurrent patching of multiple browser zero-days suggests exploitation campaigns using multi-component browser exploit chains
Discovery
Reported to Google as an in-the-wild zero-day. Google TAG and Chrome Security team acknowledged exploitation before the April 13 patch. The tight clustering of multiple Chrome zero-days in April 2021 is consistent with a single advanced threat actor deploying multiple exploit primitives or a commercial exploit chain being used in targeted operations.
Exploitation Context
Blink UAF zero-days are among the most commercially valuable browser exploits because they provide reliable renderer code execution against all users of Chrome and Chromium-based browsers. The April 2021 Chrome zero-day cluster (CVE-2021-21206, CVE-2021-21220, CVE-2021-21224) — multiple simultaneous zero-days in Chrome's renderer and JavaScript engine — is indicative of sophisticated exploit chain development: browser exploit frameworks typically chain a renderer RCE (like a Blink UAF) with a JavaScript engine bug and possibly a sandbox escape to achieve full OS compromise. The November 2021 CISA KEV addition reflects ongoing exploitation of Chrome versions that predated the April 2021 patches across the enterprise browser install base.
Remediation
- Update Chrome to 89.0.4389.128 or later (any current Chrome release contains the fix) — verify at
chrome://settings/help - Restart Chrome when an update is pending — Chrome downloads updates automatically but requires a restart to apply them
- Update all other Chromium-based browsers (Edge, Opera, Brave) separately
- Enable automatic browser updates across the enterprise — ensure Group Policy does not prevent Chrome or Edge from auto-updating
- Apply Chrome's Site Isolation to prevent a compromised renderer from accessing cross-origin data:
chrome://settings/security→ Enhanced Protection - For high-risk users: consider using a browser profile reset after any suspicious site visit if near-zero-day browser exploits are a concern in your threat model
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-21206 |
| Vendor / Product | Google — Chromium Blink |
| NVD Published | 2021-04-26 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-04-13 | Google releases Chrome 89.0.4389.128 patching CVE-2021-21206 — zero-day, exploited in the wild |
| 2021-04-20 | Chrome 90.0.4430.72 released, also addressing related V8 vulnerabilities in the same zero-day cluster |
| 2021-04-26 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — Chrome 89.0.4389.128 | Vendor Advisory |
| NVD — CVE-2021-21206 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |