CriticalCISA KEVExploited in the wildPublic exploit

Use-after-free in Google Chrome Portals sandbox escape

IdentifiersCVE-2021-37973CWE-416· Use After Free

CVE-2021-37973 is a use-after-free vulnerability in the Portals component of Google Chrome affecting versions prior to 94.0.4606.61. According to the provided content, the flaw can be triggered via a crafted HTML page and was exploitable by a remote attacker who had already compromised the renderer process. The bug is not described as a generic browser-sandbox flaw; rather, it is a memory-safety issue in Portals that could be used as part of a Chrome exploit chain to escape the sandbox.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation could allow an attacker who already achieved code execution or compromise within the Chrome renderer process to break out of the renderer sandbox. In practical terms, this elevates an attacker from a constrained renderer context to a more privileged context outside the browser sandbox, enabling follow-on compromise of the host or use in multi-stage spyware delivery chains.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting use of untrusted web content, isolating high-risk browsing activity, and enforcing rapid browser update policies. Because exploitation requires prior renderer compromise, layered mitigations that reduce initial renderer exploitation risk—such as disabling unnecessary web features where operationally feasible, using site isolation and exploit mitigations provided by the platform/browser, and restricting access to attacker-controlled pages—may reduce likelihood of successful chaining, but patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Update Google Chrome to version 94.0.4606.61 or later, as the vulnerability affects Chrome prior to 94.0.4606.61. Apply vendor-provided patches across all Chromium-based deployments where applicable and prioritize patching on exposed end-user systems, especially Android-targeted environments referenced in the supplied reporting.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

DebianDebian Linuxoperating_system

Fedora ProjectFedoraoperating_system

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

the hacker newsNews

Dec 5, 2025

Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery

A use-after-free vulnerability in Portals in Google Chrome, exploited by Predator spyware.

talosintelligence otherNews

May 25, 2023

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

One of five zero-day vulnerabilities reportedly exploited in an exploit chain to deliver the ALIEN implant; affects Google Chrome.

google tag blogNews

May 19, 2022

Protecting Android users from 0-Day attacks

A Chrome zero-day vulnerability used in campaigns targeting Android users.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-37973

NVD

nvd.nist.gov/vuln/detail/CVE-2021-37973

debian.org/security/2022/dsa-5046

Release Notes

chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html

Release Notes

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R

Release Notes

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-37973