May Vuln of the Month: CVE-2021-21206
Share with Your Network
It’s another Exploit Wednesday—the day we publish our latest Vuln of the Month blog. In this series, we pick the day after Exploit Tuesday to highlight a vulnerability we think warrants a closer look. And if your people use a Chromium-based browser (that’s Google Chrome or Microsoft Edge for you non-open source geeks), then CVE-2021-21206 is definitely worth your attention.
May’s Vuln of the Month is CVE-2021-21206, a Use After Free vulnerability in Chromium’s Blink rendering engine. As of this writing, CVE-2021-21206 has a Kenna Risk Score of 77.
Our research shows that CVE-2021-21206 meets many of the criteria we look for to be widely exploited, including:
- Access complexity: Low
- Potential attack surface: >3B
- Exploitable remotely: No
- Authentication/privilege requirements: None
- Potential impact on availability: Significant
- Exploit code published: Yes
- Active exploits observed: Yes
As the above graph illustrates, only 1.52% of observed vulnerabilities pose a larger risk than CVE-2021-21206.
Why CVE-2021-21206 matters
This vulnerability was first reported anonymously on April 7 and published in the National Vulnerability Database on April 26. It is potentially serious for a multitude of reasons, not the least of which is its massive attack surface: Because it can affect Chromium-based browsers (Google Chrome and Microsoft Edge, the choice of 77% of Internet users) across the most popular desktop platforms, this Free After Use vulnerability has the potential for serious damage if the target is tricked into visiting a specially crafted HTML page.
A successful exploit could lead to arbitrary code execution, which in turn could result in denial of service attacks, data loss, system crashes, and more. No special credentials are required, and Microsoft says it has received reports of exploits in the wild. CVE-2021-21206 has earned a CVSS score of 8.8.
An attack surface involving billions of endpoints, a true cross-platform vulnerability that impacts browsers regardless of operating system, the ability to execute arbitrary code, and a mitigation process requiring the timely cooperation of end users—all this places CVE-2021-21206 squarely in our crosshairs. And it should be in yours too.
Remediating this vuln requires updating the affected browsers. On April 13, Google began rolling out Chrome Stable Channel Update for Desktop (89.0.4389.128) for Windows, Mac and Linux. A day later, Microsoft released Microsoft Edge Stable Channel (Version 89.0.774.68).
Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our real-time vulnerability intelligence powered by machine learning.