Vulnerability DatabaseCVE-2021-4098

CVE-2021-4098:
vulnerability analysis and mitigation

Overview

Insufficient data validation in Mojo in Google Chrome prior to version 96.0.4664.110 was identified as CVE-2021-4098. The vulnerability allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape through a crafted HTML page. This critical security flaw was discovered and reported by Sergei Glazunov of Google Project Zero on October 26, 2021 (Chrome Release).

Technical details

The vulnerability received a CVSS v3.1 base score of 7.4 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, and while there is no impact on confidentiality or availability, the impact on integrity is high (NVD).

Impact

The vulnerability could allow an attacker to escape the Chrome sandbox if they had already compromised the renderer process. This represents a significant security breach as it could potentially lead to executing code outside of Chrome's protective sandbox environment (Chrome Release).

Mitigation and workarounds

Google addressed this vulnerability in Chrome version 96.0.4664.110 for Windows, Mac, and Linux platforms. Users are advised to update their Chrome browsers to this version or later to protect against this security flaw (Chrome Release).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.4

Score

Published February 11, 2022

Severity HIGH

CNA Score N/A

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 50.7

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

chromium
qt5-qtwebengine-devtools

Sources

Alpine Security Tracker
- Alpine 3.15 Severity HIGHHas FixAdded at: Dec 22, 2021
- Alpine 3.16 Severity HIGHHas FixAdded at: May 24, 2022
- Alpine 3.17 Severity HIGHHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity HIGHHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity HIGHHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine 3.23 Severity HIGHHas FixAdded at: Dec 04, 2025
- Alpine edge Severity HIGHHas FixAdded at: Jun 19, 2023
Debian Security Tracker
- Debian 9, 10 Severity HIGHNo FixAdded at: Mar 28, 2022
- Debian 11 Severity HIGHHas FixAdded at: Jan 15, 2022
- Debian 12 Severity HIGHHas FixAdded at: Jan 29, 2022
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Jul 24, 2022
Nix
- Nix Severity HIGHHas FixAdded at: May 26, 2024
Ubuntu Security Tracker
- Ubuntu 18.04 Severity MEDIUMHas FixAdded at: Dec 14, 2021
NVD
- Linux Severity HIGHHas FixAdded at: Feb 18, 2022
- Windows Severity HIGHHas FixAdded at: Jan 19, 2022