⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-37973Use After Free in Google Chrome

CWE-416Use After Free21 documents13 sources
Severity
9.6CRITICALNVD
EPSS
6.5%
top 8.88%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
7
Google ChromeChromiumDebian Chromium+4 more
Timeline
PublishedOct 8
KEV addedNov 3
KEV dueNov 17
Latest updateMar 5
CISA Required Action: Apply updates per vendor instructions.

Description

Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages6 packages

CVEListV5google/chromeunspecified94.0.4606.61
NVDgoogle/chrome< 94.0.4606.61
debiandebian/chromium< chromium 97.0.4692.71-0.1 (bookworm)
Debianchromium/chromium< 97.0.4692.71-0.1~deb11u1+3

Also affects: Debian Linux 10.0, 11.0, Fedora 33, 35

Patches

Patch: crbug.comPatch: crbug.com

🔴Vulnerability Details

4
GHSA
GHSA-w2c8-qc3j-3xr5: Use after free in Portals in Google Chrome prior to 942022-05-24
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
OSV
CVE-2021-37973: Use after free in Portals in Google Chrome prior to 942021-10-08
VulnCheck
Google Chromium Portals Use-After-Free Vulnerability2021

📋Vendor Advisories

4
CISA
Google Chromium Portals Use-After-Free Vulnerability2021-11-03
Chrome
Stable Channel Update for Desktop: CVE-2021-379732021-09-24
Microsoft
Chromium: CVE-2021-37973 Use after free in Portals2021-09-14
Debian
CVE-2021-37973: chromium - Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remot...2021

🕵️Threat Intelligence

12
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review2026-03-05
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review2026-03-05
Mandiant
Intellexa’s Prolific Zero-Day Exploits Continue2025-12-03
Mandiant
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue2025-12-03
Google Tag
State-backed attackers and commercial surveillance vendors repeatedly use the same exploits2024-08-29