CVE-2021-30602: 
vulnerability analysis and mitigation

CVE-2021-30602 is a use-after-free vulnerability discovered in the WebRTC functionality of Google Chrome prior to version 92.0.4515.159. The vulnerability was reported by Marcin Towalski of Cisco Talos on July 19, 2021, and was publicly disclosed on August 16, 2021 (Chrome Release, Talos Report).

The vulnerability exists in the WebRTC component's addIceCandidate functionality. When setting up a WebRTC session, the AddIceCandidate function is used to add Interactive Connection Establishment candidates received from the remote peer over the signaling channel. The vulnerability occurs when garbage collection is triggered before adding an ICE candidate, which can lead to the reuse of previously freed memory due to an active Promise that was called before garbage collection. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Talos Report).

If exploited, this vulnerability could allow an attacker who convinces a user to visit a malicious website to potentially exploit heap corruption via a crafted HTML page. With proper manipulation of the Promise responsible for setting description setLocalDescription, this vulnerability could lead to control over freed memory and ultimately arbitrary code execution (Talos Report).

Google has addressed this vulnerability in Chrome version 92.0.4515.159. Users and administrators are advised to update to this version or later to mitigate the risk. The fix was released as part of a larger security update that addressed multiple vulnerabilities (Chrome Release).