Search
On this page ▾
CVE-2021-30554 — Google Chromium WebGL Use-After-Free Vulnerability

CVE-2021-30554

Chrome WebGL — Use-After-Free Zero-Day Enables Remote Code Execution via Malicious Web Content; Actively Exploited Before June 2021 Patch
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is WebGL in Chrome?

WebGL (Web Graphics Library) is a JavaScript API that allows web pages to render hardware-accelerated 2D and 3D graphics using the GPU, without browser plugins. WebGL is implemented in Chrome as part of the GPU process — a sandboxed process that communicates with the GPU driver to perform hardware-accelerated rendering on behalf of web content. Use-after-free vulnerabilities in WebGL allow an attacker who controls a web page to free a WebGL object while holding a live reference, then trigger access through the stale pointer — corrupting GPU process memory. Successful exploitation achieves code execution in the Chrome GPU process, which can serve as a stepping stone toward full browser compromise depending on the sandbox configuration.

Overview

CVE-2021-30554 is a use-after-free vulnerability (CWE-416) in Chrome's WebGL implementation. Google patched this in Chrome 91.0.4472.164 (June 24, 2021) and confirmed that an exploit existed in the wild at the time of the patch — a zero-day exploitation. The vulnerability allows an attacker to craft a malicious web page containing WebGL content that triggers the UAF, potentially achieving code execution in the Chrome renderer or GPU process. The vulnerability affects all Chromium-based browsers. CISA added it to the KEV catalog in November 2021.

Affected Versions

Product Vulnerable Fixed
Chrome before 91.0.4472.164 Yes Chrome 91.0.4472.164 (June 24, 2021)
Microsoft Edge (Chromium) before equivalent Yes Edge update following Chrome 91.0.4472.164
Opera and other Chromium-based browsers Yes Corresponding vendor updates

Technical Details

  • Root cause: Use-after-free (CWE-416) in WebGL — a WebGL graphics object is freed while an active reference to it remains; attacker-controlled JavaScript or WebGL API calls trigger access through the dangling pointer, corrupting memory in the process handling GPU operations
  • UAF exploitation pattern: After the object is freed, the attacker performs allocations to place controlled data at the freed memory location; when the dangling pointer is subsequently dereferenced, the attacker's data is treated as the freed object's structure, enabling type confusion and ultimately arbitrary read/write primitives
  • Code execution scope: Exploitation achieves code execution in the Chrome renderer or GPU process — both are sandboxed but serve as initial footholds; a full browser exploit chain also requires a sandbox escape to reach the OS level
  • Zero-day status: Google's release notes confirmed "exploit for CVE-2021-30554 exists in the wild" — the vulnerability was weaponized and actively used before the patch
  • Cross-browser impact: WebGL is implemented via the shared Chromium codebase; Microsoft Edge, Opera, Brave, and other Chromium-based browsers are also affected until they incorporate the same fix

Discovery

Reported to Google and confirmed as a zero-day actively exploited before the June 24, 2021 patch. Google's acknowledgment of in-the-wild exploitation reflects a pre-patch zero-day, consistent with either a commercially-sold exploit or a vulnerability independently discovered and weaponized by a threat actor.

Exploitation Context

Chrome WebGL use-after-free zero-days are high-value exploits frequently used in browser-based attack chains. The June 24, 2021 release was an out-of-band emergency patch — Google does not issue these for hypothetical exploitation, only for confirmed active exploitation. This suggests the exploit was deployed in targeted or semi-targeted attacks before Google could patch. The November 2021 CISA KEV addition reflects continued exploitation of unpatched Chrome installations across the enterprise install base, which historically lags Chrome's rapid update cadence.

Remediation

  1. Update Chrome to 91.0.4472.164 or later — check chrome://settings/help; Chrome auto-updates when allowed to restart
  2. Update all other Chromium-based browsers (Edge, Opera, Brave) independently — Chromium engine updates do not automatically update other browsers
  3. Enable automatic browser updates — ensure Chrome and Edge are not prevented from updating by enterprise group policy or firewall blocking of Google's update servers
  4. For enterprise environments: use Chrome for Enterprise or Microsoft Endpoint Manager to enforce minimum browser version requirements across all workstations
  5. Enable Chrome's sandboxing features — ensure --no-sandbox is not present in Chrome shortcut arguments or launch policies, as sandbox disabling dramatically increases the impact of renderer UAF bugs

Key Details

PropertyValue
CVE ID CVE-2021-30554
Vendor / Product Google — Chromium WebGL
NVD Published2021-07-02
NVD Last Modified2025-10-24
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-416 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2021-11-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2021-11-17. Apply updates per vendor instructions.

Timeline

DateEvent
2021-06-24Google releases Chrome 91.0.4472.164 patching CVE-2021-30554 — acknowledges 'exploit for CVE-2021-30554 exists in the wild'
2021-07-02CVE published
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2021-11-17CISA BOD 22-01 remediation deadline

References

ResourceType
Chrome Stable Channel Update — Chrome 91.0.4472.164 Vendor Advisory
NVD — CVE-2021-30554 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML