CVE-2021-38002 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-38002?

CVE-2021-38002 has a CVSS score of 9.6 (CRITICAL). This is a use-after-free vulnerability in Chrome's Web Transport component that allows a remote attacker to potentially escape the browser sandbox via a crafted HTML page. It affects Chrome versions prior to 95.0.4638.69 and could lead to arbitrary code execution on the victim's system.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's Web Transport component that allows a remote attacker to potentially escape the browser sandbox via a crafted HTML page. It affects Chrome versions prior to 95.0.4638.69 and could lead to arbitrary code execution on the victim's system.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 95.0.4638.69

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome configurations are vulnerable. Chromium-based browsers may also be affected depending on their Web Transport implementation.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through sandbox escape leading to arbitrary code execution with user privileges, potentially enabling further lateral movement or persistence.

🟠

Likely Case

Remote code execution within the browser context, potentially leading to data theft, credential harvesting, or installation of malware.

🟢

If Mitigated

Limited impact if sandbox escape fails, potentially resulting in browser crash or denial of service.

🌐 Internet-Facing: HIGH - Attack can be triggered by visiting a malicious website, making internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious page) but no authentication. The bug report suggests the vulnerability is exploitable for sandbox escape.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 95.0.4638.69 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html

Restart Required: Yes

Instructions:

1. Open Chrome and click the three-dot menu. 2. Go to Help > About Google Chrome. 3. Chrome will automatically check for updates and install version 95.0.4638.69 or later. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable Web Transport

all

Disable the Web Transport feature via Chrome flags to mitigate the vulnerability.

chrome://flags/#enable-webtransport
Set to 'Disabled'

Use Chrome Enterprise policies

all

Deploy enterprise policies to disable Web Transport across the organization.

Configure 'WebTransport' policy to disabled

🧯 If You Can't Patch

Implement network filtering to block malicious websites and restrict browser access to untrusted sites.
Use application whitelisting to prevent execution of unauthorized binaries that could result from exploitation.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version by navigating to chrome://version and verify if version is below 95.0.4638.69.

Check Version:

chrome://version

Verify Fix Applied:

Confirm Chrome version is 95.0.4638.69 or higher via chrome://version.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with Web Transport related stack traces
Unexpected process creation from Chrome sandbox

Network Indicators:

HTTP requests to known malicious domains hosting exploit code
Unusual Web Transport protocol traffic

SIEM Query:

source="chrome" AND (event_type="crash" AND process_name="chrome.exe" AND stack_trace CONTAINS "WebTransport") OR (process_creation AND parent_process="chrome.exe" AND sandbox_escape_indicator=*)

📊 Metadata

CVE ID: CVE-2021-38002

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: November 23, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html Release Notes,Vendor Advisory
https://crbug.com/1260940 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html Release Notes,Vendor Advisory
https://crbug.com/1260940 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38002, you might also want to check these: