CVE-2021-38013
Description
Heap buffer overflow in fingerprint recognition in Google Chrome on ChromeOS prior to 96.0.4664.45 allowed a remote attacker who had compromised a WebUI renderer process to potentially perform a sandbox escape via a crafted HTML page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in Chrome's fingerprint recognition on ChromeOS allows sandbox escape from a compromised WebUI renderer.
Vulnerability
A heap buffer overflow vulnerability exists in the fingerprint recognition component of Google Chrome on ChromeOS. The issue affects versions prior to 96.0.4664.45. The vulnerability is triggered when a crafted HTML page is processed by a WebUI renderer that has already been compromised.
Exploitation
Exploitation requires an attacker to first compromise a WebUI renderer process (e.g., via another vulnerability). The attacker then delivers a specially crafted HTML page that triggers the heap buffer overflow in the fingerprint recognition code, leading to memory corruption.
Impact
Successful exploitation allows the attacker to escape the Chrome sandbox, potentially gaining elevated privileges on the ChromeOS system. This could lead to full system compromise.
Mitigation
The vulnerability is fixed in Chrome version 96.0.4664.45 for ChromeOS. Users should update to this version or later. No workaround is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- osv-coords6 versionspkg:rpm/opensuse/chromium&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/chromium&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/chromium&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/opera&distro=openSUSE%20Leap%2015.3%20NonFreepkg:rpm/opensuse/opera&distro=openSUSE%20Leap%2015.4%20NonFreepkg:rpm/suse/chromium&distro=SUSE%20Package%20Hub%2015%20SP3
< 96.0.4664.110-lp152.2.143.1+ 5 more
- (no CPE)range: < 96.0.4664.110-lp152.2.143.1
- (no CPE)range: < 96.0.4664.93-bp153.2.45.2
- (no CPE)range: < 96.0.4664.110-1.1
- (no CPE)range: < 83.0.4254.27-lp153.2.33.1
- (no CPE)range: < 85.0.4341.28-lp154.2.5.1
- (no CPE)range: < 96.0.4664.93-bp153.2.45.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/mitrevendor-advisoryx_refsource_FEDORA
- www.debian.org/security/2022/dsa-5046mitrevendor-advisoryx_refsource_DEBIAN
- chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.htmlmitrex_refsource_MISC
- crbug.com/1242392mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.