Cyber Resilience

CVE-2021-37975

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 08 October 2021

Published
08 October 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.6298 98.4th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-37975 is a high-severity Use After Free (CWE-416) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

The vulnerability CVE-2021-37975 is a use-after-free issue in the V8 JavaScript engine of Google Chrome versions prior to 94.0.4606.71. Classified as CWE-416, the flaw can lead to heap corruption when the browser processes a specially crafted HTML page.

A remote attacker can exploit the weakness by serving malicious web content that triggers the use-after-free condition. With a CVSS 3.1 score of 8.8, successful exploitation may allow an attacker to corrupt memory and achieve impacts on confidentiality, integrity, and availability without requiring authentication.

Chrome release notes and Fedora security advisories direct users to apply the stable-channel update to version 94.0.4606.71 or later. Corresponding package updates are available through distribution repositories to address the issue.

EU & UK References

Vulnerability details

Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 94.0.4606.71
fedoraproject
fedora
33, 34, 35
debian
debian linux
10.0, 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of security-relevant patches such as the Chrome 94.0.4606.71 update that eliminates the use-after-free flaw.

prevent

Enforces configuration settings that mandate approved, patched browser versions, thereby blocking vulnerable instances from remaining in use.

detect

Requires ongoing vulnerability scanning that would identify unpatched Chrome instances still susceptible to CVE-2021-37975 exploitation.

References