CVE-2021-37984: 
vulnerability analysis and mitigation

A heap buffer overflow vulnerability (CVE-2021-37984) was discovered in PDFium component of Google Chrome versions prior to 95.0.4638.54. The vulnerability was reported by Antti Levomäki, Joonas Pihlaja and Christian Jalio from Forcepoint on September 27, 2021, and was patched in the stable channel update released on October 19, 2021 (Chrome Release).

The vulnerability is classified as a heap buffer overflow in PDFium, which could allow remote attackers to potentially exploit heap corruption through a specially crafted HTML page. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD).

If successfully exploited, this vulnerability could lead to heap corruption, potentially allowing attackers to execute arbitrary code, cause denial of service, or compromise system security. The high CVSS score indicates severe potential consequences if the vulnerability is exploited (NVD).

Google addressed this vulnerability in Chrome version 95.0.4638.54. Users are advised to update to this version or later. The fix was also backported to various Linux distributions, including Debian, which addressed it in their security update DSA-5046-1 (Debian Advisory).