CVE-2021-30528: 
vulnerability analysis and mitigation

CVE-2021-30528 is a Use-after-free vulnerability discovered in the WebAuthentication component of Google Chrome on Android prior to version 91.0.4472.77. The vulnerability was reported by Man Yue Mo of GitHub Security Lab on May 6, 2021, and was fixed in the Chrome release 91.0.4472.77 on May 25, 2021 (GitHub Security Lab, Chrome Release).

The vulnerability occurs in the InternalAuthenticatorAndroid::InvokeIsUserVerifyingPlatformAuthenticatorAvailableResponse component. When fetching credit card details for autofill, IsUserVerifyingPlatformAuthenticatorAvailable is called, which then calls the corresponding method of the Java class InternalAuthenticator. The issue arises because mNativeInternalAuthenticatorAndroid is stored in a Java lambda callback, creating a shared reference that can outlive the original object, potentially leading to a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, GitHub Security Lab).

The vulnerability could allow a remote attacker who has compromised the renderer process of a user who had saved a credit card in their Google account to potentially exploit heap corruption via a crafted HTML page. This could lead to sandbox escape on Android devices (NVD, GitHub Security Lab).

The vulnerability was patched in Chrome version 91.0.4472.77. Users and administrators should upgrade to this version or later to mitigate the risk. Various Linux distributions including Fedora and Gentoo have also released security updates to address this vulnerability (Gentoo Advisory, Fedora Update).