cbcvebase.
CVE-2021-37976
published 2021-10-08

CVE-2021-37976: Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from…

PriorityP277medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
19.90%
97.1th percentile
Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

Affected

14 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 97.0.4692.71-0.1~deb11u197.0.4692.71-0.1~deb11u1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
debianchromium< chromium 97.0.4692.71-0.1 (bookworm)chromium 97.0.4692.71-0.1 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 94.0.4606.7194.0.4606.71
googlechrome>= unspecified < 94.0.4606.7194.0.4606.71
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

version94.0.4606.71
  • CVE-2021-37976 was exploited in the wild as part of a chained exploit sequence (alongside CVE-2021-37973, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048) to deliver the ALIEN/PREDATOR spyware implant via a one-click link.
  • The ALIEN spyware component injects into the zygote64 process on Android; monitor for unexpected code injection or anomalous child processes spawned from zygote64.
  • Presence of the file fs.db (an encrypted SQLite3 database) on an Android device may indicate PREDATOR spyware activity.
  • The ALIEN component configuration embeds a URL used to download the PREDATOR component; network monitoring for anomalous download requests from privileged Android processes may reveal C2 activity.
  • This vulnerability is confirmed exploited in the wild per CISA KEV; prioritize detection on Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera prior to version 94.0.4606.71.
  • ·The PREDATOR spyware uses a privilege escalation method called QUAILEGGS; without access to the QUAILEGGS code, the exact exploitation mechanism cannot be confirmed, though CVE-2021-1048 is assessed as the likely target.
  • ·Two PREDATOR components — 'tcore' (core spyware functionality) and 'kmem' (kernel read/write) — were not obtained for analysis; full detection coverage of the implant is therefore incomplete.
  • ·ALIEN's initial loading mechanism is unknown; it is assessed to be loaded from shellcode executed by the initial exploit stage, but this has not been confirmed.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.