CVE-2021-37973

What is the Chromium Portals API?

Portals is an experimental Chromium web API that enables seamless page transitions and previews — allowing a page to embed another page as a "portal" that can then be activated (navigated into) with a smooth animation. Portals are implemented in the Chromium renderer process and involve complex object lifecycle management across the portal host page and the embedded portal content. The complexity of managing cross-context object lifetimes in Portals created opportunities for use-after-free bugs.

Overview

CVE-2021-37973 is a use-after-free (UAF) vulnerability (CWE-416) in the Chromium Portals API implementation. A malicious web page can exploit this UAF to achieve memory corruption in the Chrome renderer process, enabling sandbox escape and arbitrary code execution on the host OS. Google's Threat Analysis Group (TAG) researcher Clément Lecigne discovered this vulnerability — indicating it was found during TAG's monitoring of government-backed attackers exploiting Chrome zero-days in the wild. Google patched it as an actively exploited zero-day in Chrome 94.0.4606.61 on September 30, 2021.

Affected Versions

Technical Details

The Portals API implementation manages embedded portal pages within a host page. The UAF occurs when portal-related objects are freed during specific navigation or activation sequences while references to those objects remain accessible:

• Root cause: UAF in Chromium's Portals implementation — portal-related objects (HTMLPortalElement or associated IPC objects) are freed while dangling references allow continued access
• Renderer corruption: Successful UAF exploitation provides controlled heap corruption within the renderer sandbox, enabling type confusion attacks and arbitrary read/write primitives
• Sandbox escape: The renderer-level primitives are used to escape the Chromium sandbox by exploiting the browser process or kernel — the "Scope Changed" CVSS metric reflects this cross-process impact
• Discovery: Clément Lecigne of Google TAG, who focuses on government-backed attacker activity, discovered this vulnerability — indicating observation of active exploitation in nation-state attack chains
• Exploit chain: CVE-2021-37973 was patched alongside CVE-2021-30633 (Indexed DB UAF) and CVE-2021-37976 (information leak), suggesting these were used together as a multi-stage exploit chain

Discovery

Discovered by Clément Lecigne of Google's Threat Analysis Group (TAG). TAG specializes in tracking government-sponsored cyberattacks — discoveries by TAG members typically indicate active exploitation by nation-state actors prior to patch availability.

Exploitation Context

Zero-day Chrome sandbox escapes are high-value capabilities primarily operated by sophisticated nation-state actors or commercial surveillance vendors (like NSO Group, Candiru). The exploitation of CVE-2021-37973 was confirmed in the wild before the September 30, 2021 patch — consistent with a targeted spyware or intelligence collection operation against high-value individuals. The September 2021 Chrome zero-day cluster (CVE-2021-37973, CVE-2021-30633, CVE-2021-37976 all patched in the same emergency update) represents a particularly sophisticated exploit chain.

Remediation

1. Update Chrome to version 94.0.4606.61 or later immediately
2. Enable automatic Chrome updates for rapid zero-day patching
3. Update all Chromium-based browsers (Microsoft Edge, Opera, Brave) to their corresponding patched versions
4. For high-risk individuals (journalists, activists, government officials): consider iOS/Android alternatives to desktop Chrome for sensitive work, or use Chrome with Site Isolation strictly enabled
5. Enable Chrome's Enhanced Safe Browsing for additional telemetry-based protection