CVE-2021-37981 – CVE-2021-37981 is a heap buffer overflow vulner... (How to Fix)

Q: What is the severity of CVE-2021-37981?

CVE-2021-37981 has a CVSS score of 9.6 (CRITICAL). CVE-2021-37981 is a heap buffer overflow vulnerability in Chrome's Skia graphics engine that allows an attacker who has already compromised the renderer process to potentially escape the browser sandbox. This affects users running Chrome versions prior to 95.0.4638.54. Successful exploitation could lead to full system compromise.

📋 TL;DR

CVE-2021-37981 is a heap buffer overflow vulnerability in Chrome's Skia graphics engine that allows an attacker who has already compromised the renderer process to potentially escape the browser sandbox. This affects users running Chrome versions prior to 95.0.4638.54. Successful exploitation could lead to full system compromise.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers
Microsoft Edge (Chromium-based)
Brave Browser
Opera

Versions: All versions prior to 95.0.4638.54

Operating Systems: Windows, Linux, macOS, Android, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome installations are vulnerable. Chromium-based browsers using vulnerable Skia versions are also affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete sandbox escape leading to arbitrary code execution with system-level privileges, potentially allowing full control of the affected system.

🟠

Likely Case

Sandbox escape enabling installation of malware, data theft, or persistence mechanisms on the compromised system.

🟢

If Mitigated

Limited to renderer process compromise only, with sandbox preventing system-level access.

🌐 Internet-Facing: HIGH - Attackers can exploit via crafted web pages without user interaction beyond visiting a malicious site.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires chaining with another vulnerability to first compromise the renderer process, then this vulnerability enables sandbox escape.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 95.0.4638.54 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_19.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, though this breaks most web functionality.

chrome://settings/content/javascript

Use Site Isolation

all

Ensure site isolation is enabled to limit impact of renderer compromise.

chrome://flags/#site-isolation-trial-opt-out (set to Disabled)

🧯 If You Can't Patch

Restrict browser usage to trusted websites only
Implement application whitelisting to prevent unauthorized browser execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version by navigating to chrome://version and verifying version is below 95.0.4638.54

Check Version:

On Windows: "C:\Program Files\Google\Chrome\Application\chrome.exe" --version
On Linux: google-chrome --version
On macOS: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version

Verify Fix Applied:

Confirm Chrome version is 95.0.4638.54 or higher via chrome://version

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with Skia-related stack traces
Unexpected Chrome renderer process termination
Sandbox policy violation logs

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual outbound connections following Chrome usage

SIEM Query:

source="chrome" AND (event_type="crash" OR process_name="chrome_renderer") AND message="*Skia*" OR "*heap overflow*"

📊 Metadata

CVE ID: CVE-2021-37981

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-787

Published: November 2, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_19.html Vendor Advisory
https://crbug.com/1246631 Permissions Required,Vendor Advisory
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_19.html Vendor Advisory
https://crbug.com/1246631 Permissions Required,Vendor Advisory
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37981, you might also want to check these: