May Vuln of the Month: CVE-2021-21206

May 12, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

It’s another Exploit Wednesday—the day we publish our latest Vuln of the Month blog. In this series, we pick the day after Exploit Tuesday to highlight a vulnerability we think warrants a closer look.  And if your people use a Chromium-based browser (that’s Google Chrome or Microsoft Edge for you non-open source geeks), then CVE-2021-21206 is definitely worth your attention.

May’s Vuln of the Month is CVE-2021-21206, a Use After Free vulnerability in Chromium’s Blink rendering engine. As of this writing, CVE-2021-21206 has a Kenna Risk Score of 77. 

 Our research shows that CVE-2021-21206 meets many of the criteria we look for to be widely exploited, including:

  • Access complexity: Low
  • Potential attack surface: >3B
  • Exploitable remotely: No
  • Authentication/privilege requirements: None
  • Potential impact on availability: Significant
  • Exploit code published: Yes
  • Active exploits observed: Yes


CVE-2021-21206 has a Kenna Risk Meter Score of 77, just 1.52% of vulnerabilities scored higher

As the above graph illustrates, only 1.52% of observed vulnerabilities pose a larger risk than CVE-2021-21206.


Why CVE-2021-21206 matters

This vulnerability was first reported anonymously on April 7 and published in the National Vulnerability Database on April 26. It is potentially serious for a multitude of reasons, not the least of which is its massive attack surface: Because it can affect Chromium-based browsers (Google Chrome and Microsoft Edge, the choice of 77% of Internet users) across the most popular desktop platforms, this Free After Use vulnerability has the potential for serious damage if the target is tricked into visiting a specially crafted HTML page. 

A successful exploit could lead to arbitrary code execution, which in turn could result in denial of service attacks, data loss, system crashes, and more. No special credentials are required, and Microsoft says it has received reports of exploits in the wild. CVE-2021-21206 has earned a CVSS score of 8.8.

Bottom line

An attack surface involving billions of endpoints, a true cross-platform vulnerability that impacts browsers regardless of operating system, the ability to execute arbitrary code, and a mitigation process requiring the timely cooperation of end users—all this places CVE-2021-21206 squarely in our crosshairs. And it should be in yours too.  

Mitigation status

Remediating this vuln requires updating the affected browsers. On April 13, Google began rolling out Chrome Stable Channel Update for Desktop (89.0.4389.128) for Windows, Mac and Linux.  A day later, Microsoft released Microsoft Edge Stable Channel (Version 89.0.774.68).  


Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our real-time vulnerability intelligence powered by machine learning. 


Read the Latest Content


Is GitHub a Source for Exploits?

Find out if GitHub can be used as a source for cybersecurity exploits and how you can protect yourself. Read more about GitHub security now!
Trending Vulns

March Vuln of the Month: CVE-2021-24094

Kenna is closely tracking CVE-2021-24094, a Remote Code Execution vuln in the default TCP/IP stack on all supported Microsoft OS.
Trending Vulns

April Vuln of the Month: CVE-2021-21972

CVE-2021-21972 addresses a remote code execution vuln in a plugin. Learn how Kenna is dealing with this threat and how you can protect yourself too.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.