Cyber Resilience

CVE-2021-37973

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 08 October 2021

Published
08 October 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.1478 94.7th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-37973 is a critical-severity Use After Free (CWE-416) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

The vulnerability CVE-2021-37973 is a use-after-free issue in the Portals component of Google Chrome versions prior to 94.0.4606.61, tracked as CWE-416. It affects the renderer process when handling portal-related operations in the browser engine.

A remote attacker who has already compromised the renderer process can exploit the flaw by serving a crafted HTML page, potentially achieving a sandbox escape with high impact to confidentiality, integrity, and availability. The reported CVSS 3.1 score of 9.6 reflects the network attack vector, low complexity, required user interaction, and changed scope.

Chrome release notes and distribution advisories for Fedora and Debian indicate that the issue is resolved by updating to version 94.0.4606.61 or equivalent packaged builds; the corresponding Chromium bug report provides additional technical references for the fix. No information on observed in-the-wild exploitation is supplied in the available references.

EU & UK References

Vulnerability details

Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 94.0.4606.61
fedoraproject
fedora
33, 35
debian
debian linux
10.0, 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (Chrome 94.0.4606.61) that eliminates the use-after-free flaw before a renderer compromise can be escalated.

prevent

Enforces memory-protection mechanisms that block exploitation of use-after-free conditions (CWE-416) in the renderer process.

prevent

Requires process isolation boundaries whose bypass is exactly what the sandbox-escape portion of this CVE attempts to achieve.

References