Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2021-37975

Disclosure Date: October 08, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Add Assessment

1
Ratings
Technical Analysis

Exploitation in the wild of this bug has been noted as reported by Google at https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html. The bug details are available at https://bugs.chromium.org/p/chromium/issues/detail?id=1252918 but are still classified to the public until more people have patched.

The bug in question is a Use-After-Free vulnerability in the V8 JavaScript rendering engine of Google Chrome prior to 94.0.4606.71. It was reported by an anonymous user on 2021-09-24. Use-After-Free vulnerabilities in V8 are not all that uncommon and are frequently used in the wild to attack Chrome users, as was observed with this particular bug. They often give an attacker access to the user’s desktop considering that the V8 engine is not sandboxed, although according to https://www.zdnet.com/article/bugs-in-chromes-javascript-engine-can-lead-to-powerful-exploits-this-project-aims-to-stop-them/, there are plans by Google to potentially look at sandboxing the V8 engine in the future.

All in all given the severity of this bug, the lack of sandboxing of the V8 engine, the history of exploitation of V8 bugs in the past giving a rich knowledge base for attackers to work from, and the fact that this bug has been exploited in the wild already, I would highly recommend patching this bug as soon as possible.

If this is not possible then JavaScript should be disabled on all untrusted sites using a plugin such as NoScript or by disabling JavaScript execution within the settings of Chrome itself to avoid exposing oneself to this vulnerability until patches can be deployed.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • debian,
  • fedoraproject,
  • google

Products

  • chrome,
  • debian linux 10.0,
  • debian linux 11.0,
  • fedora 33,
  • fedora 34,
  • fedora 35
Technical Analysis