← back
CVE-2021-37973

CVE-2021-37973

CVSS 9.6 CRITICALEPSS 11.7%● KEVCWE-416
In short

A memory flaw in Chrome's Portals feature lets attackers use freed memory to escape the browser's security sandbox. An attacker with control over the webpage's rendering process can exploit this to gain full system access.

Technical detail

Use-after-free vulnerability in Chrome Portals API (CWE-416) allows a compromised renderer process to access deallocated memory objects. Exploitation requires crafted HTML and renderer compromise, enabling sandbox escape with full system execution privileges.

Summary generated and translated by AI from the official description.
Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected products
Google · Chrome

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.htmlhttps://crbug.com/1251727https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-37973https://www.debian.org/security/2022/dsa-5046