CVE-2021-37973

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 5, 2026 11 articles

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

14.78%

probability

This CVE has a 14.78% probability of being exploited in the next 30 days.

0% Top 94.6th percentile of all CVEs 100%

CVSS score unavailable

Neither CIRCL nor NVD returned a CVSS score for this CVE. View on VulnerabilityLookup ↗

Description

Project Zero

Use-after-free in Portals

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Discovered

Sept. 21, 2021

Patched

Sept. 24, 2021

Reported by

Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero

Root Cause Analysis

???

Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws

TheHackerNews

Google pushes emergency Chrome update to fix zero-day used in attacks

BleepingComputer Dec 13, 2021

Emergency Google Chrome update fixes zero-days used in attacks

BleepingComputer Oct 28, 2021

Update Google Chrome to Patch New Zero-Day Exploit Detected in the Wild

TheHackerNews

Google pushes emergency Chrome update to fix two zero-days

BleepingComputer Sep 30, 2021

Urgent Chrome Update Released to Patch Actively Exploited Zero-Day Vulnerability

TheHackerNews

Google Chrome emergency update fixes zero-day exploited in attacks

BleepingComputer Feb 14, 2022

Emergency Google Chrome update fixes zero-day exploited in the wild

BleepingComputer Sep 24, 2021

Google: Predator spyware infected Android devices using zero-days

BleepingComputer May 22, 2022

Qualys Response to CISA Alert: Binding Operational Directive 22-01

Qualys Nov 09, 2021

Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack

TheHackerNews

Signal Intelligence

Confidenceⓘ

95%

EPSS 14.78%

Mentions 11

Last Seen May 22, 2022

CNA Information

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Threat Actors 6

Turla Group

apt_group Information theft and espionage Russian Federation

APT 29

apt_group Information theft and espionage 🇷🇺 RU

APT 28

apt_group Information theft and espionage 🇷🇺 RU

Pat Bear

apt_group 🇸🇾 SY

PassCV

apt_group Information theft and espionage 🇨🇳 CN

APT 5

apt_group Information theft and espionage 🇨🇳 CN

Triage Info

Decided atMar 05, 2026