CVE-2021-37972: 
vulnerability analysis and mitigation

CVE-2021-37972 is a security vulnerability discovered in the libjpeg-turbo component of Google Chrome versions prior to 94.0.4606.54. The vulnerability was reported by Xu Hanyu and Lu Yutao from Panguite-Forensics-Lab of Qianxin on July 29, 2021, and was publicly disclosed in September 2021 (Chrome Release).

The vulnerability is classified as an out-of-bounds read vulnerability in the libjpeg-turbo library, specifically affecting the 64-bit SSE2 Huffman encoder. According to the National Vulnerability Database, it has been assigned a CVSS v3.1 base score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability could allow a remote attacker to potentially exploit heap corruption through a specially crafted HTML page. This could lead to arbitrary code execution, information disclosure, or system crashes (NVD).

The vulnerability was patched in Google Chrome version 94.0.4606.54. Users are advised to update to this version or later. The fix has also been backported to various Linux distributions including Debian and Fedora (Debian Advisory, Fedora Update).