CVE-2021-37977 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-37977?

CVE-2021-37977 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Chrome's garbage collection that allows remote attackers to potentially exploit heap corruption. Attackers can craft malicious HTML pages to trigger this vulnerability, affecting all users running vulnerable Chrome versions.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's garbage collection that allows remote attackers to potentially exploit heap corruption. Attackers can craft malicious HTML pages to trigger this vulnerability, affecting all users running vulnerable Chrome versions.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 94.0.4606.81

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Extensions or security settings don't mitigate this.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash, denial of service, or limited code execution in sandboxed context.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Attackers can host malicious pages on the internet that exploit this when visited.

🏢 Internal Only: MEDIUM - Internal malicious sites could exploit it, but requires user interaction.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit requires user to visit malicious page but no authentication needed. Heap corruption exploitation requires additional techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 94.0.4606.81 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome 2. Click menu → Help → About Google Chrome 3. Allow update to download 4. Click Relaunch when prompted

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents malicious HTML from executing JavaScript that could trigger the vulnerability

chrome://settings/content/javascript → Block

Use Site Isolation

all

Enhances sandboxing to limit impact of potential exploitation

chrome://flags/#enable-site-per-process → Enable

🧯 If You Can't Patch

Restrict browser to trusted websites only using network policies
Deploy web filtering to block known malicious sites and suspicious HTML content

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in About Google Chrome page. If version is below 94.0.4606.81, it's vulnerable.

Check Version:

google-chrome --version (Linux) or chrome://version (all platforms)

Verify Fix Applied:

Confirm Chrome version is 94.0.4606.81 or higher in About Google Chrome page.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Unexpected process termination
Sandbox escape attempts

Network Indicators:

Requests to known exploit hosting domains
Suspicious HTML/JavaScript delivery

SIEM Query:

source="chrome_crash_reports" AND version<"94.0.4606.81"

📊 Metadata

CVE ID: CVE-2021-37977

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: November 2, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1252878 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNARCF5HEZK7GJXZRN5TQ45AQDCRM2WO/
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1252878 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNARCF5HEZK7GJXZRN5TQ45AQDCRM2WO/
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37977, you might also want to check these: