CVE-2021-37976

What is ASLR and Memory Information Leaks in Chrome?

Address Space Layout Randomization (ASLR) is a security mitigation that randomizes the memory addresses of code, heap, and stack regions — making it difficult for an attacker to predict where exploit payloads should direct execution. For modern browser exploit chains, defeating ASLR through a memory information leak is often the first step: a vulnerability that reveals actual memory addresses (pointers) from the renderer process allows an attacker to calculate the ASLR offset and use it to redirect execution in a subsequent code execution exploit. Chrome's renderer process memory contains many pointers — to JavaScript objects, V8 internal structures, JIT-compiled code, and browser objects — that, if leaked to attacker-controlled JavaScript, defeat ASLR for the renderer process.

Overview

CVE-2021-37976 is an information disclosure vulnerability (CWE-862, Missing Authorization) in Chrome's core memory handling that allows a remote attacker to obtain sensitive information from the renderer process's memory via a crafted HTML page. The vulnerability leaks memory contents — including addresses — that can be used to defeat ASLR and enable a companion code execution exploit. Google patched this in Chrome 94.0.4606.71 (September 24, 2021), confirming in-the-wild exploitation. The high Confidentiality impact (C:H) reflects that the leaked memory contents can include sensitive data or security-critical addresses. CISA added it to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Missing authorization check (CWE-862) in Chrome's core memory component — a memory access or JavaScript API allows attacker-controlled JavaScript to read from memory regions it should not have access to; the missing permission check results in disclosure of raw memory contents from the renderer process
• ASLR defeat: The disclosed memory contents include pointers or addresses from the Chrome renderer process; by analyzing leaked addresses, the attacker calculates the base address of V8, libc, or Chrome's renderer binary — defeating ASLR and enabling subsequent return-oriented programming (ROP) chains in a code execution exploit
• Exploit chain role: CVE-2021-37976 serves as the information leak stage of a two-stage exploit chain. Stage 1 (CVE-2021-37976): visit malicious page → leak memory addresses → calculate ASLR offsets. Stage 2 (companion code execution exploit, likely CVE-2021-38003 V8 type confusion): use calculated addresses to redirect execution and achieve renderer RCE
• C:H standalone impact: Even without an accompanying code execution exploit, the memory leak may expose sensitive data from the renderer process — browser history, page content, cached credentials, or other data present in renderer memory
• Information leaks as force multipliers: Standalone memory leaks have moderate CVSS scores but dramatically increase the reliability and power of companion exploits — what would otherwise be unreliable memory corruption becomes a stable, deterministic exploit when ASLR is defeated

Discovery

Reported to Google as an in-the-wild zero-day and patched in Chrome 94.0.4606.71. The September 24, 2021 Chrome release notes confirmed "exploit exists in the wild." CISA added it to KEV in November 2021 alongside other Chrome vulnerabilities from Q3-Q4 2021.

Exploitation Context

Memory information leaks like CVE-2021-37976 are used by sophisticated actors who maintain complete exploit chains — initial leak stage followed by a separate code execution stage. The combination of CVE-2021-37976 (memory disclosure) and CVE-2021-38003 (V8 type confusion, released in the same Chrome 95 patch on October 28) is consistent with a two-stage exploit chain observed in targeted attacks. Exploit chains using information leaks to defeat ASLR are characteristic of nation-state level actors and commercial surveillance vendors (NSO Group, Cytrox) who require reliable, one-shot exploitation for high-value targets. The CISA KEV addition reflects that organizations running unpatched Chrome remained vulnerable to these chains.

Remediation

1. Update Chrome to 94.0.4606.71 or later — any current Chrome release contains the fix
2. Update all Chromium-based browsers (Edge, Opera, Brave) separately
3. Enable automatic Chrome updates; verify no enterprise policies block update delivery
4. Chrome's Site Isolation feature (--site-per-process) limits cross-origin information leaks by isolating each origin in a separate renderer process — verify Site Isolation is enabled
5. Renderer sandbox limits the practical impact of information leaks by preventing direct OS access; ensure Chrome runs with default sandboxing (no --no-sandbox)