CVE-2021-30633

What is Chromium Indexed DB?

Indexed DB is a web browser API that allows JavaScript to store large amounts of structured data in the browser, enabling offline web applications and high-performance data storage. Chrome's Indexed DB implementation runs in the renderer process (the sandboxed process that executes web content). Use-after-free bugs in Indexed DB can be exploited by malicious web pages to corrupt renderer memory — and when combined with a separate sandbox escape primitive, can achieve full code execution outside the Chrome sandbox.

Overview

CVE-2021-30633 is a use-after-free (UAF) vulnerability (CWE-416) in the Chromium Indexed DB API implementation. The vulnerability allows a malicious web page to trigger memory corruption in the Chrome renderer process. An attacker who has already compromised the renderer (either through this bug alone or as part of a chain) can exploit this UAF to escape the Chrome renderer sandbox and execute arbitrary code on the underlying operating system. Google patched this as an actively exploited zero-day in Chrome 94.0.4606.61 on September 30, 2021.

Affected Versions

Technical Details

The use-after-free occurs in Chromium's Indexed DB implementation within the renderer process. JavaScript executing a specific sequence of Indexed DB operations can cause an object to be freed while a reference to it remains active. The freed memory can subsequently be accessed through the dangling reference:

• Root cause: UAF in Indexed DB object lifecycle management — a freed IDBDatabase or related object is accessed after deallocation
• Renderer-level exploitation: The UAF provides controlled memory corruption within the renderer process, usable for type confusion or arbitrary read/write primitives
• Sandbox escape: With renderer-level code execution, the attacker leverages a second vulnerability (or this bug's primitives) to escape the Chromium sandbox and execute code as the browser process or OS user
• User interaction required: Victim must visit a malicious web page or be redirected to one by a first-stage exploit
• Exploit chain position: Typically the second stage in a two-bug chain (first bug achieves renderer RCE, this or another bug achieves sandbox escape)

Discovery

Google's internal team patched this as a zero-day exploit confirmed in the wild, consistent with Google Threat Analysis Group (TAG) monitoring of government-backed exploitation. The simultaneous patching of multiple Indexed DB and Portals UAFs (CVE-2021-37973, CVE-2021-37976) in the same Chrome 94 update suggests these were discovered as components of an active exploit chain.

Exploitation Context

Zero-day Chrome sandbox escape bugs are primarily used by government-sponsored threat actors targeting high-value individuals — journalists, dissidents, government officials, and security researchers. The rapid CISA KEV addition (34 days after patch) reflects confirmed in-the-wild exploitation in targeted attacks.

Remediation

1. Update Chrome to version 94.0.4606.61 or later immediately
2. Enable automatic Chrome updates to ensure rapid zero-day patching
3. Update all Chromium-based browsers (Edge, Opera, Brave) to their corresponding patched versions
4. For high-risk users: consider enabling Chrome's Enhanced Safe Browsing mode
5. Keep the underlying OS patched to limit the impact of any future sandbox escapes