CVE-2021-38011 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2021-38011?

CVE-2021-38011 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Chrome's storage foundation that allows remote attackers to potentially exploit heap corruption via crafted HTML pages. It affects all users running Google Chrome versions prior to 96.0.4664.45. Successful exploitation could lead to arbitrary code execution.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's storage foundation that allows remote attackers to potentially exploit heap corruption via crafted HTML pages. It affects all users running Google Chrome versions prior to 96.0.4664.45. Successful exploitation could lead to arbitrary code execution.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 96.0.4664.45

Operating Systems: Windows, macOS, Linux, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome configurations are vulnerable. Chromium-based browsers may also be affected depending on their patch status.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Chrome process, potentially leading to full system compromise if combined with privilege escalation vulnerabilities.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within Chrome's sandbox, potentially allowing data theft or further exploitation.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Attackers can exploit via malicious websites without user interaction beyond visiting the page.

🏢 Internal Only: MEDIUM - Requires user to visit malicious internal pages, but could be exploited via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Use-after-free vulnerabilities typically require precise timing and memory manipulation, but the attack vector (crafted HTML page) is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 96.0.4664.45 and later

Vendor Advisory: https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for updates and install version 96.0.4664.45 or later. 4. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious JavaScript that could trigger the vulnerability

chrome://settings/content/javascript → Block

Use Site Isolation

all

Enhances Chrome's sandboxing to limit impact of potential exploits

chrome://flags/#enable-site-per-process → Enable

🧯 If You Can't Patch

Disable Chrome entirely and use alternative browsers that are patched
Implement network filtering to block known malicious websites and HTML content

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: Open Chrome → Click three-dot menu → Help → About Google Chrome. If version is below 96.0.4664.45, you are vulnerable.

Check Version:

On Windows: "C:\Program Files\Google\Chrome\Application\chrome.exe" --version
On Linux: google-chrome --version
On macOS: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version

Verify Fix Applied:

Confirm Chrome version is 96.0.4664.45 or higher using the same method.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption signatures
Unexpected Chrome process termination events

Network Indicators:

HTTP requests to websites serving complex HTML/JavaScript with unusual patterns
Traffic to known exploit hosting domains

SIEM Query:

source="chrome_crash_reports" AND (message="heap corruption" OR message="use-after-free" OR message="ACCESS_VIOLATION")

📊 Metadata

CVE ID: CVE-2021-38011

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 23, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1268274 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory
https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1268274 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38011, you might also want to check these: