CVE-2021-21166
CVE-2021-21166
In short
A timing flaw in Chrome's audio processing allows attackers to corrupt memory through a specially crafted webpage. This could let them crash the browser or potentially run malicious code.
Technical detail
A data race condition in the audio subsystem of Chrome versions prior to 89.0.4389.72 enables heap corruption exploitation. An attacker delivers a crafted HTML page that triggers concurrent access to shared memory structures; no user interaction beyond visiting the page is required. Successful exploitation results in memory corruption with potential code execution.
Summary generated and translated by AI from the official description.
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Google · ChromeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.htmlhttps://crbug.com/1177465https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT/https://security.gentoo.org/glsa/202104-08https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21166https://www.debian.org/security/2021/dsa-4886