Multiple vulnerabilities in Google Chrome



| Updated: 2023-08-16
Risk Critical
Patch available YES
Number of vulnerabilities 35
CVE-ID CVE-2021-21180
CVE-2021-21171
CVE-2021-21172
CVE-2021-21173
CVE-2021-21174
CVE-2021-21175
CVE-2021-21176
CVE-2021-21177
CVE-2021-21178
CVE-2021-21179
CVE-2021-21181
CVE-2021-21169
CVE-2021-21182
CVE-2021-21183
CVE-2021-21184
CVE-2021-21185
CVE-2021-21186
CVE-2021-21187
CVE-2021-21188
CVE-2021-21189
CVE-2021-21190
CVE-2021-21170
CVE-2021-21168
CVE-2021-21167
CVE-2021-21158
CVE-2021-21159
CVE-2021-21160
CVE-2021-21161
CVE-2021-21162
CVE-2021-21163
CVE-2021-21164
CVE-2021-21165
CVE-2021-21166
CVE-2020-27844
CVE-2021-21200
CWE-ID CWE-416
CWE-451
CWE-264
CWE-310
CWE-358
CWE-20
CWE-908
CWE-122
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerability #33 is being exploited in the wild.
Vulnerable software
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google

Security Bulletin

This security bulletin contains information about 35 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU51140

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21180

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within tab search in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1175507


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Spoofing attack

EUVDB-ID: #VU51131

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21171

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in TabStrip and Navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1152894


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51132

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-21172

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in File System API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1150810


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Cryptographic issues

EUVDB-ID: #VU51133

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21173

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to side-channel information leak in Network Internals. Chrome Medium. A remote attacker can create a specially crafted web page, trick the victim into opening it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1154250


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improperly implemented security check for standard

EUVDB-ID: #VU51134

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21174

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Referrer in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1158010


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improperly implemented security check for standard

EUVDB-ID: #VU51135

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21175

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Site isolation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1146651


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improperly implemented security check for standard

EUVDB-ID: #VU51136

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21176

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in full screen mode in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1170584


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51137

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21177

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Autofill in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1173879


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improperly implemented security check for standard

EUVDB-ID: #VU51138

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21178

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Compositing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1174186


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Use-after-free

EUVDB-ID: #VU51139

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21179

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Network Internals in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1174943


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Cryptographic issues

EUVDB-ID: #VU51141

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21181

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to side-channel information leak in autofill. Chrome Medium. A remote attacker can create a specially crafted web page, trick the victim into opening it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1182767


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper control of a resource through its lifetime

EUVDB-ID: #VU51167

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21169

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a boundary condition within the V8 component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and crash the browser.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1166138


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51142

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21182

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in navigations in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1049265


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Improperly implemented security check for standard

EUVDB-ID: #VU51143

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21183

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in performance APIs in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1105875


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improperly implemented security check for standard

EUVDB-ID: #VU51144

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21184

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in performance APIs in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1131929


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51145

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21185

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in extensions in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1100748


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51146

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21186

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in QR scanning in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1153445


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Input validation error

EUVDB-ID: #VU51147

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21187

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in URL formatting in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1155516


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Use-after-free

EUVDB-ID: #VU51148

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21188

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to use-after-free error in Blink in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1161739


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51149

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21189

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in payments in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1165392


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Use of uninitialized resource

EUVDB-ID: #VU51150

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21190

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of uninitialized resources in PDFium in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1166091


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Spoofing attack

EUVDB-ID: #VU51130

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21170

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Loader in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1111646


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51129

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21168

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in appcache in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1152226


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Use-after-free

EUVDB-ID: #VU51128

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21167

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within bookmarks in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1161144


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Input validation error

EUVDB-ID: #VU51121

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21158

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in iOSWeb in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1129361


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Heap-based buffer overflow

EUVDB-ID: #VU51122

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21159

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in TabStrip. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1171049


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Heap-based buffer overflow

EUVDB-ID: #VU51123

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21160

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in WebAudio. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1170531


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Heap-based buffer overflow

EUVDB-ID: #VU51124

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21161

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in TabStrip. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1173702


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Use-after-free

EUVDB-ID: #VU51125

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21162

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the WebRTC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1172054


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Input validation error

EUVDB-ID: #VU51126

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21163

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in Reader Mode in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1111239


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Input validation error

EUVDB-ID: #VU51127

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21164

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in iOSWeb in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1164846


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Improper control of a resource through its lifetime

EUVDB-ID: #VU51165

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21165

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper control of object lifetime in audio in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1174582


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Improper control of a resource through its lifetime

EUVDB-ID: #VU51166

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-21166

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper control of object lifetime in audio in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: 86.0.4240.198 - 88.0.4324.190

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1177465


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

34) Heap-based buffer overflow

EUVDB-ID: #VU49182

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-27844

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in lib/openjp2/t2.c. A remote attacker can pass specially crafted image to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: before 89.0.4389.72

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1177875


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Improperly implemented security check for standard

EUVDB-ID: #VU79600

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21200

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Settings in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 89.0.4389.72.

Vulnerable software versions

Google Chrome: before 89.0.4389.72

CPE2.3 External links

http://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
http://crbug.com/1164816


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###