CVE-2021-38000
published 2021-11-23CVE-2021-38000: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a…
PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
4.49%
90.3th percentile
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 97.0.4692.71-0.1~deb11u1 | 97.0.4692.71-0.1~deb11u1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| debian | chromium | < chromium 97.0.4692.71-0.1 (bookworm) | chromium 97.0.4692.71-0.1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 95.0.4638.69 | 95.0.4638.69 | |
| chrome | >= unspecified < 95.0.4638.69 | 95.0.4638.69 | |
| chrome_chrome | — | — | |
| linux | linux_kernel | >= 0 < 4.15.0-239.251 | 4.15.0-239.251 |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-38000 was exploited as part of a chained exploit delivering PREDATOR/ALIEN spyware; detection should look for Chrome Intent-based redirects to unexpected URLs from crafted HTML pages on Android devices. ↗
- →ALIEN spyware injects into the zygote64 process on Android; monitor for unexpected code injection or unusual child processes spawned from zygote64. ↗
- →Presence of fs.db (encrypted SQLite3 file) on Android device may indicate PREDATOR spyware update/refresh activity. ↗
- →PREDATOR spyware uses Python-based modules (loader.py, sqlimper.py, tcore, _km); presence of these files on an Android device is a strong indicator of compromise. ↗
- →ALIEN uses dlsym() to call main_exec() from the downloaded PREDATOR component; monitor for unusual dlsym() calls in Android processes following network activity. ↗
- ·CVE-2021-38000 affects only Google Chrome on Android prior to version 95.0.4638.69; the CISA advisory notes it could also affect other Chromium-based browsers (Edge, Opera), but the primary confirmed vector is Android Chrome. ↗
- ·The PREDATOR/ALIEN samples analyzed by Talos were specifically designed for Android; iOS variants may exist but were not analyzed. ↗
- ·The tcore and kmem PREDATOR components were not obtained for analysis; their full capabilities and indicators remain unknown. ↗
- ·The URL used by ALIEN to download the PREDATOR component is stored in ALIEN's configuration and is operator-controlled; no static domain/IP IOC is available from the sources. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv7.8HIGH
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities
osv·2025-07-08·CVSS 7.8
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- PowerPC architecture;
- Block layer subsystem;
- ACPI drivers;
- NILFS2 file system;
- File systems infrastructure;
- Memory management;
- Network traffic control;
- USB sound devices;
(CVE-2025-37932, CVE-2024-53197, CVE-2024-50116, CVE-2021-47379,
CVE-2024-49958, CVE-2022-49179, CVE-2024-46787, CVE-2024-41070,
CVE-2025-38000, CVE-2024-56662, CVE-2022-49176, CVE-2025-37798)
OSV
linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips vulnerabilities
osv·2025-07-08·CVSS 7.8
CVE-2025-37932 linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips vulnerabilities
linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- PowerPC architecture;
- Block layer subsystem;
- ACPI drivers;
- NILFS2 file system;
- File systems infrastructure;
- Memory management;
- Network traffic control;
- USB sound devices;
(CVE-2025-37932, CVE-2024-53197, CVE-2024-50116, CVE-2021-47379,
CVE-2024-49958, CVE-2022-49179, CVE-2024-46787, CVE-2024-41070,
CVE-2025-38000, CVE-2024-56662, CVE-2022-49176, CVE-2025-37798)
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
GHSA
GHSA-xrj7-4gfh-q9h7: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95
ghsa_unreviewed·2021-11-24
CVE-2021-38000 [MEDIUM] CWE-20 GHSA-xrj7-4gfh-q9h7: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
OSV
CVE-2021-38000: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95
osv·2021-11-23·CVSS 6.1
CVE-2021-38000 [MEDIUM] CVE-2021-38000: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
VulnCheck
Google Chromium Intents Improper Input Validation Vulnerability
vulncheck·2021·CVSS 6.1
CVE-2021-38000 [MEDIUM] CWE-20 Google Chromium Intents Improper Input Validation Vulnerability
Google Chromium Intents Improper Input Validation Vulnerability
Google Chromium Intents contains an improper input validation vulnerability that allows a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium Intents
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.talosintelligence.com/mercenary-intellexa-predator/; https://storage.googleapis.com/gweb-uniblog-publish-p
Project0
Project Zero RCA: CVE-2021-38000: Chrome Intents Logic Flaw
project_zero·CVSS 6.1
CVE-2021-38000 [MEDIUM] Project Zero RCA: CVE-2021-38000: Chrome Intents Logic Flaw
# CVE-2021-38000: Chrome Intents Logic Flaw
*Maddie Stone, Google Project Zero*
## The Basics
**Disclosure or Patch Date:** October 28, 2021
**Product:** Google Chrome
**Advisory:** https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
**Affected Versions:** pre-95.0.4638.50
**First Patched Version:** 95.0.4638.50
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1249962
**Patch CL:** https://chromium.googlesource.com/chromium/src/+/36aa9d15d1283d8d9758b044b7a9a20349f507de
**Bug-Introducing CL:** N/A
**Reporter(s):** Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group
## The Code
**Proof-of-concept:**
```
import SimpleHTTPServer
import SocketServer
class FakeRedirect(SimpleHTTPServer.SimpleH
Project0
Project Zero RCA: CVE-2021-0920: Android sk_buff use-after-free in Linux
project_zero·CVSS 6.4
CVE-2021-0920 [MEDIUM] Project Zero RCA: CVE-2021-0920: Android sk_buff use-after-free in Linux
# CVE-2021-0920: Android sk_buff use-after-free in Linux
*Xingyu Jin, Android Security Research*
## The Basics
**Disclosure or Patch Date:** November 5, 2021
**Product:**Google Android
**Advisory:** https://source.android.com/security/bulletin/2021-11-01#kernel-components
**Affected Versions:** Pre-Nov 5 2021 SPL for devices released prior to Nov 2022
**First Patched Version:** 5 Nov 2021 SPL+
**Issue/Bug Report:** A-196926917
**Patch CL:** https://android.googlesource.com/kernel/common/+/cbcf01128d0a92e131bd09f1688fe032480b65ca
**Bug-Introducing CL:** Unknown
**Reporter(s):** Anonymous
## The Code
**Proof-of-concept:** See the appendix
**Exploit sample:** N/A
**Did you have access to the exploit sample when doing the analysis?** Yes
## The Vulnerability
**Bug class:** use-
CISA
Google Chromium Intents Improper Input Validation Vulnerability
cisa·2021-11-03·CVSS 6.1
CVE-2021-38000 [MEDIUM] CWE-20 Google Chromium Intents Improper Input Validation Vulnerability
Vulnerability: Google Chromium Intents Improper Input Validation Vulnerability
Affected: Google Chromium Intents
Google Chromium Intents contains an improper input validation vulnerability that allows a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-38000
Remediation Due Date: 2021-11-17
Chrome
Stable Channel Update for Desktop: CVE-2021-37999
vendor_chrome·2021-10-28·CVSS 6.1
CVE-2021-37999 [HIGH] Stable Channel Update for Desktop: CVE-2021-37999
Stable Channel Update for Desktop
CVE-2021-37999: Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21 [$N/A][ 1249962 ] High CVE-2021-38000 : Insufficient validation of untrusted input in Intents
Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15 [$N/A][ 1260577 ] High CVE-2021-38001 : Type Confusion in V8
Severity: high
Microsoft
Chromium: CVE-2021-38000 Insufficient validation of untrusted input in Intents
vendor_msrc·2021-10-12·CVSS 6.1
CVE-2021-38000 [MEDIUM] Chromium: CVE-2021-38000 Insufficient validation of untrusted input in Intents
Chromium: CVE-2021-38000 Insufficient validation of untrusted input in Intents
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that exploits for this vulnerability exist in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
95.0.1020.40
10/29/2021
95.0.4638.69
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Micro
Debian
CVE-2021-38000: chromium - Insufficient validation of untrusted input in Intents in Google Chrome on Androi...
vendor_debian·2021·CVSS 6.1
CVE-2021-38000 [MEDIUM] CVE-2021-38000: chromium - Insufficient validation of untrusted input in Intents in Google Chrome on Androi...
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 97.0.4692.71-0.1)
bullseye: resolved (fixed in 97.0.4692.71-0.1~deb11u1)
forky: resolved (fixed in 97.0.4692.71-0.1)
sid: resolved (fixed in 97.0.4692.71-0.1)
trixie: resolved (fixed in 97.0.4692.71-0.1)
No detection rules found.
No public exploits indexed.
Mandiant
Intellexa’s Prolific Zero-Day Exploits Continue
blogs_mandiant·2025-12-03
Intellexa’s Prolific Zero-Day Exploits Continue
Threat Intelligence
# Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
December 3, 2025
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
### Introduction
Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving.
Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside
Mandiant
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
blogs_mandiant·2025-12-03
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
## Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
## Introduction
Despite extensive scrutiny and public reporting , commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government . New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving .
Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside research published by our colleagues from Recorded Future and Amne
Talos
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
blogs_talos·2023-05-25
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.
- Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
- Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
- A deep dive into both spyware components indicates that ALIEN is more than just a loader for PREDATOR and acti
Talos
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
blogs_talos·2023-05-25
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
## Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.
Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
A deep dive into both spyware component
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
arXiv
A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities
arxiv_fulltext·2024-06-09
A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities
## Abstract
The relentless process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the point of failure in an otherwise formidable defense. Given that few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendat
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.htmlhttps://crbug.com/1249962https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/https://www.debian.org/security/2022/dsa-5046https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.htmlhttps://crbug.com/1249962https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/https://www.debian.org/security/2022/dsa-5046https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38000
2021-11-23
Published
2021-11-03
Added to CISA KEV
Exploited in the wild