CVE-2021-37988: 
vulnerability analysis and mitigation

Use after free vulnerability (CVE-2021-37988) was discovered in the Profiles component of Google Chrome versions prior to 95.0.4638.54. The vulnerability allows a remote attacker to potentially exploit heap corruption through a crafted HTML page when a user is convinced to perform specific gestures (Chrome Blog, NVD).

The vulnerability is classified as a Use After Free (CWE-416) issue in the Profiles component. It received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and user interaction required for exploitation (NVD).

If successfully exploited, this vulnerability could lead to heap corruption, potentially allowing an attacker to execute arbitrary code with the privileges of the Chrome browser process. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability was patched in Google Chrome version 95.0.4638.54. Users and administrators should ensure their Chrome installations are updated to this version or later. Various Linux distributions have also released security updates to address this vulnerability, including Debian which fixed it in version 97.0.4692.71-0.1~deb11u1 (Debian Advisory).