Cyber Resilience

CVE-2021-37976

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 08 October 2021

Published
08 October 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.2005 95.6th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-37976 is a medium-severity Missing Authorization (CWE-862) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability CVE-2021-37976 stems from an inappropriate implementation in the Memory component of Google Chrome versions prior to 94.0.4606.71. Classified under CWE-862, the flaw permits access to data that should remain isolated within process memory.

A remote attacker can exploit the issue by delivering a crafted HTML page, which, when rendered, allows extraction of potentially sensitive information from the browser process. The attack vector is network-based with low complexity, requires no privileges, and depends on user interaction via the UI, yielding a high confidentiality impact per the CVSS 6.5 rating while leaving integrity and availability unaffected.

Chrome release notes direct users to upgrade to version 94.0.4606.71 or later, with corresponding fixed packages distributed through Fedora repositories to close the exposure. No details on observed in-the-wild exploitation appear in the referenced sources.

EU & UK References

Vulnerability details

Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 94.0.4606.71
fedoraproject
fedora
33, 34, 35
debian
debian linux
10.0, 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires memory protection mechanisms that would block unauthorized extraction of sensitive data from process memory as exploited by this Chrome flaw.

prevent

Enforces access control decisions on memory objects so that a crafted page cannot read data outside its authorized scope (CWE-862).

prevent

Requires process isolation boundaries that limit the ability of one Chrome renderer process to reach another process's memory.

References