Multiple vulnerabilities in Google Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 18 |
| CVE-ID | CVE-2021-38007 CVE-2021-38015 CVE-2021-38022 CVE-2021-38021 CVE-2021-38020 CVE-2021-38019 CVE-2021-38018 CVE-2021-38017 CVE-2021-38016 CVE-2021-38014 CVE-2021-38008 CVE-2021-38013 CVE-2021-38012 CVE-2021-38011 CVE-2021-38010 CVE-2021-38005 CVE-2021-38006 CVE-2021-38009 |
| CWE-ID | CWE-843 CWE-358 CWE-264 CWE-787 CWE-416 CWE-122 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 18 vulnerabilities.
1) Type Confusion
EUVDB-ID: #VU58155
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-38007
CWE-ID:
CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1254189
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38007
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
2) Improperly implemented security check for standard
EUVDB-ID: #VU58165
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-38015
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in input in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/957553
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38015
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
3) Improperly implemented security check for standard
EUVDB-ID: #VU58172
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-38022
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in WebAuthentication in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1248862
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38022
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
4) Improperly implemented security check for standard
EUVDB-ID: #VU58171
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-38021
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in referrer in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1233375
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38021
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
5) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU58170
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38020
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in contacts picker in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1259694
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38020
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU58169
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38019
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in CORS in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1251179
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38019
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
7) Improperly implemented security check for standard
EUVDB-ID: #VU58168
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-38018
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1197889
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38018
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
8) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU58167
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38017
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in iframe sandbox in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1256822
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38017
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
9) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU58166
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38016
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in background fetch in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1244289
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38016
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
10) Out-of-bounds write
EUVDB-ID: #VU58164
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38014
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in Swiftshader. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1248567
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38014
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
11) Use-after-free
EUVDB-ID: #VU58156
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-38008
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the media component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1263620
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38008
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
12) Heap-based buffer overflow
EUVDB-ID: #VU58163
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38013
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in fingerprint recognition. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1242392
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38013
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
13) Type Confusion
EUVDB-ID: #VU58162
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38012
CWE-ID:
CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a type confusion error and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1262791
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38012
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
14) Use-after-free
EUVDB-ID: #VU58161
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-38011
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the storage foundation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1268274
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38011
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
15) Improperly implemented security check for standard
EUVDB-ID: #VU58160
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38010
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in service workers in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1264477
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38010
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
16) Use-after-free
EUVDB-ID: #VU58159
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-38005
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the loader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1241091
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38005
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
17) Use-after-free
EUVDB-ID: #VU58158
Risk: High
CVSSv3.1:
CVE-ID: CVE-2021-38006
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the storage foundation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1240593
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38006
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
18) Improperly implemented security check for standard
EUVDB-ID: #VU58157
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-38009
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in cache in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 7.0.517.41 - 95.0.4638.69
CPE2.3 External links
http://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html
http://crbug.com/1260649
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38009
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
