Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2021-37975

Disclosure Date: October 08, 2021
CVE-2021-37975 CVSS v3 Base Score: 8.8
Exploited in the Wild
Reported by mkienow-r7 and 2 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Common in enterpriseUnauthenticatedVulnerable in default configuration
Technical Analysis

Exploitation in the wild of this bug has been noted as reported by Google at https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html. The bug details are available at https://bugs.chromium.org/p/chromium/issues/detail?id=1252918 but are still classified to the public until more people have patched.

The bug in question is a Use-After-Free vulnerability in the V8 JavaScript rendering engine of Google Chrome prior to 94.0.4606.71. It was reported by an anonymous user on 2021-09-24. Use-After-Free vulnerabilities in V8 are not all that uncommon and are frequently used in the wild to attack Chrome users, as was observed with this particular bug. They often give an attacker access to the user’s desktop considering that the V8 engine is not sandboxed, although according to https://www.zdnet.com/article/bugs-in-chromes-javascript-engine-can-lead-to-powerful-exploits-this-project-aims-to-stop-them/, there are plans by Google to potentially look at sandboxing the V8 engine in the future.

All in all given the severity of this bug, the lack of sandboxing of the V8 engine, the history of exploitation of V8 bugs in the past giving a rich knowledge base for attackers to work from, and the fact that this bug has been exploited in the wild already, I would highly recommend patching this bug as soon as possible.

If this is not possible then JavaScript should be disabled on all untrusted sites using a plugin such as NoScript or by disabling JavaScript execution within the settings of Chrome itself to avoid exposing oneself to this vulnerability until patches can be deployed.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Chrome 94.0.4606.71
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • fedoraproject,
  • google

Products

  • chrome,
  • debian linux 10.0,
  • debian linux 11.0,
  • fedora 33,
  • fedora 34,
  • fedora 35

Exploited in the Wild

Reported by:
Technical Analysis