CVE-2021-37973: 
vulnerability analysis and mitigation

CVE-2021-37973 is a Use-after-free vulnerability discovered in the Portals API of Google Chrome versions prior to 94.0.4606.61. The vulnerability was reported by Clément Lecigne from Google's Threat Analysis Group (TAG) on September 21, 2021, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero (Chrome Release).

The vulnerability is classified as a Use-after-free (CWE-416) weakness in Chrome's Portals API, which is a web page navigation system that enables a page to show another page as an inset and perform seamless transitions. The vulnerability has received a CVSS v3.1 base score of 9.6 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. This could lead to arbitrary code execution outside the browser's security sandbox (Hacker News).

Google released a patch in Chrome version 94.0.4606.61 for Windows, Mac, and Linux to address this vulnerability. Users were advised to update their Chrome browsers immediately through Chrome menu > Help > About Google Chrome. The update was rolled out globally to the Stable desktop channel (Chrome Release).