CVE-2021-37973
published 2021-10-08CVE-2021-37973: Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a…
PriorityP186critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
11.73%
95.5th percentile
Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 97.0.4692.71-0.1~deb11u1 | 97.0.4692.71-0.1~deb11u1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| debian | chromium | < chromium 97.0.4692.71-0.1 (bookworm) | chromium 97.0.4692.71-0.1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 94.0.4606.61 | 94.0.4606.61 | |
| chrome | >= unspecified < 94.0.4606.61 | 94.0.4606.61 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect watering hole iframe injection: monitor for hidden iframes on government websites pointing to attacker-controlled domains track-adv[.]com or ceo-adviser[.]com with specific PHP paths (/market-analytics.php, /fb-connect.php, /analytics.php). ↗
- →Detect use of indexedDB database named 'tracker' on the client side, used by the Chrome exploit chain to store status information. ↗
- →Detect unique session identifier format (e.g., 2msa5mmjhqxpdsyb5vlcnd2t — 24-char lowercase alphanumeric) passed as 'tt=' parameter in all exploit stage requests to track-adv[.]com. ↗
- →Detect reconnaissance payload sending back browser fingerprint data (screen sizes, CPU count, GPU info, navigator properties, client hints Brands) to C2 prior to exploit delivery. ↗
- →The cookie stealer payload targets a hard-coded list of authentication endpoints; monitor for anomalous websocket connections to attacker-controlled IPs originating from these domains. ↗
- →Detect C2 key exchange: reconnaissance payload makes a second request with 'gcr=1' as a URL parameter to retrieve the AES decryption key for the next-stage payload. ↗
- ·CVE-2021-37973 was part of a five-CVE exploit chain (also including CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048); detection of this CVE alone may not indicate full compromise without the accompanying privilege escalation chain. ↗
- ·The same exploit infrastructure (track-adv[.]com) and cookie stealer framework were reused across multiple campaigns (2021, November 2023, February 2024, July 2024), so these IOCs may have long operational lifespans and could be reactivated. ↗
- ·The Chrome exploit chain required sandbox escape (CVE-2024-4671) in addition to CVE-2021-37973-era Portals UAF; Site Isolation forces attackers to chain more vulnerabilities, so a single CVE patch is insufficient for full protection. ↗
- ·The PREDATOR/ALIEN QUAILEGGS privilege escalation component code was not obtained; the exact exploit mechanism for CVE-2021-1048 within QUAILEGGS is assessed but not confirmed. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.6CRITICAL
vulncheck9.6CRITICAL
cisa9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w2c8-qc3j-3xr5: Use after free in Portals in Google Chrome prior to 94
ghsa_unreviewed·2022-05-24
CVE-2021-37973 [CRITICAL] CWE-416 GHSA-w2c8-qc3j-3xr5: Use after free in Portals in Google Chrome prior to 94
Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
OSV
CVE-2021-37973: Use after free in Portals in Google Chrome prior to 94
osv·2021-10-08·CVSS 9.6
CVE-2021-37973 [CRITICAL] CVE-2021-37973: Use after free in Portals in Google Chrome prior to 94
Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
VulnCheck
Google Chromium Portals Use-After-Free Vulnerability
vulncheck·2021·CVSS 9.6
CVE-2021-37973 [CRITICAL] CWE-416 Google Chromium Portals Use-After-Free Vulnerability
Google Chromium Portals Use-After-Free Vulnerability
Google Chromium Portals contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge.
Affected: Google Chromium Portals
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.talosintelligence.com/mercenary-i
CISA
Google Chromium Portals Use-After-Free Vulnerability
cisa·2021-11-03·CVSS 9.6
CVE-2021-37973 [CRITICAL] CWE-416 Google Chromium Portals Use-After-Free Vulnerability
Vulnerability: Google Chromium Portals Use-After-Free Vulnerability
Affected: Google Chromium Portals
Google Chromium Portals contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-37973
Remediation Due Date: 2021-11-17
Chrome
Stable Channel Update for Desktop: CVE-2021-37973
vendor_chrome·2021-09-24·CVSS 9.6
CVE-2021-37973 [HIGH] Stable Channel Update for Desktop: CVE-2021-37973
Stable Channel Update for Desktop
CVE-2021-37973: Use after free in Portals. Reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel
Severity: high
Microsoft
Chromium: CVE-2021-37973 Use after free in Portals
vendor_msrc·2021-09-14·CVSS 9.6
CVE-2021-37973 [CRITICAL] Chromium: CVE-2021-37973 Use after free in Portals
Chromium: CVE-2021-37973 Use after free in Portals
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware that an exploit for CVE-2021-37973 exists in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
94.0.992.31
9/24/2021
94.0.4606.54
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is n
Debian
CVE-2021-37973: chromium - Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remot...
vendor_debian·2021·CVSS 9.6
CVE-2021-37973 [CRITICAL] CVE-2021-37973: chromium - Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remot...
Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 97.0.4692.71-0.1)
bullseye: resolved (fixed in 97.0.4692.71-0.1~deb11u1)
forky: resolved (fixed in 97.0.4692.71-0.1)
sid: resolved (fixed in 97.0.4692.71-0.1)
trixie: resolved (fixed in 97.0.4692.71-0.1)
No detection rules found.
No public exploits indexed.
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Mandiant
Intellexa’s Prolific Zero-Day Exploits Continue
blogs_mandiant·2025-12-03
Intellexa’s Prolific Zero-Day Exploits Continue
Threat Intelligence
# Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
December 3, 2025
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
### Introduction
Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving.
Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside
Mandiant
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
blogs_mandiant·2025-12-03
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
## Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
## Introduction
Despite extensive scrutiny and public reporting , commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government . New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving .
Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside research published by our colleagues from Recorded Future and Amne
Google Tag
State-backed attackers and commercial surveillance vendors repeatedly use the same exploits
blogs_google_tag·2024-08-29
State-backed attackers and commercial surveillance vendors repeatedly use the same exploits
Threat Analysis Group
## State-backed attackers and commercial surveillance vendors repeatedly use the same exploits
Aug 29, 2024
Today, we’re sharing that Google’s Threat Analysis Group (TAG) observed multiple in-the-wild exploit campaigns, between November 2023 and July 2024, delivered from a watering hole attack on Mongolian government websites. The campaigns first delivered an iOS WebKit exploit affecting iOS versions older than 16.6.1 and then later, a Chrome exploit chain against Android users running versions from m121 to m123. These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices. We assess with moderate confidence the campaigns are linked to the Russian government-backed actor APT29. In each iteration o
Talos
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
blogs_talos·2023-05-25
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.
- Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
- Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
- A deep dive into both spyware components indicates that ALIEN is more than just a loader for PREDATOR and acti
Talos
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
blogs_talos·2023-05-25
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
## Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.
Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
A deep dive into both spyware component
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Talos
Threat Source newsletter (Sept. 30, 2021)
blogs_talos·2021-09-30
Threat Source newsletter (Sept. 30, 2021)
Good afternoon, Talos readers.
In the latest example of attackers trying to capitalize on current headlines, we've spotted a group using the recent fervor around the Pegasus spyware to spread malware.
We've detailed a campaign in which the attackers have copied (nearly perfectly) Amnesty International's website and is advertising a tool to sniff out the spyware and remove it. The problem is, there is no such software, and instead, it just downloads a RAT on your device.
Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at [email protected].
## Upcoming Talos public engagements
Snort 3 and Me: The rule writers speak
Date: Oct. 5, 11 a.m. ET
Location: Virtual
Description: In the latest entry into
Talos
Threat Source newsletter (Sept. 30, 2021)
blogs_talos·2021-09-30
Threat Source newsletter (Sept. 30, 2021)
## Threat Source newsletter (Sept. 30, 2021)
Good afternoon, Talos readers.
In the latest example of attackers trying to capitalize on current headlines, we've spotted a group using the recent fervor around the Pegasus spyware to spread malware.
We've detailed a campaign in which the attackers have copied (nearly perfectly) Amnesty International's website and is advertising a tool to sniff out the spyware and remove it. The problem is, there is no such software, and instead, it just downloads a RAT on your device.
Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at [email protected].
## Upcoming Talos public engagements
Snort 3 and Me: The rule writers speak
Date: Oct. 5, 11 a.m. ET
Location:
Checkpoint
27th September – Threat Intelligence Report
blogs_checkpoint·2021-09-26·CVSS 9.8
CVE-2021-26855 [CRITICAL] 27th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 27th September, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Conti ransomware gang has hit Covisian’s Spanish and Latin America subsidiary, Europe’s major customer service and call center providers, affecting several of their internal systems. According to the company, there were no discussions or negotiations about any ransom.
Check Point Harmony Endpoint provides protection
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.htmlhttps://crbug.com/1251727https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/https://www.debian.org/security/2022/dsa-5046https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.htmlhttps://crbug.com/1251727https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/https://www.debian.org/security/2022/dsa-5046https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-37973
2021-10-08
Published
2021-11-03
Added to CISA KEV
Exploited in the wild