⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-37976 — Missing Authorization in Google Chrome

CWE-862 — Missing Authorization16 documents12 sources

Severity

6.5MEDIUMNVD

EPSS

7.7%

top 8.08%

CISA KEV

KEV

Added 2021-11-03

Due 2021-11-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Google Chrome Chromium Debian Chromium +4 more

Timeline

PublishedOct 8

KEV addedNov 3

KEV dueNov 17

Latest updateDec 3

CISA Required Action: Apply updates per vendor instructions.

Description

Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶CVEListV5google/chromeunspecified — 94.0.4606.71

▶NVDgoogle/chrome< 94.0.4606.71

▶googlegoogle/chrome_chrome

▶debiandebian/chromium< chromium 97.0.4692.71-0.1 (bookworm)

▶Debianchromium/chromium< 97.0.4692.71-0.1~deb11u1+3

Also affects: Debian Linux 10.0, 11.0, Fedora 33, 34, 35

🔴Vulnerability Details

GHSA

GHSA-c9r9-7qcg-7h37: Inappropriate implementation in Memory in Google Chrome prior to 94↗2022-05-24

▶

Project0

The More You Know, The More You Know You Don’t Know - Project Zero↗2022-04-01

▶

OSV

CVE-2021-37976: Inappropriate implementation in Memory in Google Chrome prior to 94↗2021-10-08

▶

VulnCheck

Google Chromium Information Disclosure Vulnerability↗2021

▶

📋Vendor Advisories

CISA

Google Chromium Information Disclosure Vulnerability↗2021-11-03

▶

Microsoft

Chromium: CVE-2021-37976 Information leak in core↗2021-10-12

▶

Chrome

Stable Channel Update for Desktop: CVE-2021-37974↗2021-09-30

▶

Debian

CVE-2021-37976: chromium - Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 al...↗2021

▶

🕵️Threat Intelligence

Mandiant

Intellexa’s Prolific Zero-Day Exploits Continue↗2025-12-03

▶

Mandiant

Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue↗2025-12-03

▶

Talos

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware↗2023-05-25

▶

Talos

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware↗2023-05-25

▶

Qualys

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys↗2022-02-23

▶