cbcvebase.
CVE-2021-38001
published 2021-11-23

CVE-2021-38001: Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
26.70%
97.8th percentile
Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

12 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 97.0.4692.71-0.1~deb11u197.0.4692.71-0.1~deb11u1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
debianchromium< chromium 97.0.4692.71-0.1 (bookworm)chromium 97.0.4692.71-0.1 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
googlechrome< 95.0.4638.6995.0.4638.69
googlechrome>= unspecified < 95.0.4638.6995.0.4638.69
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is a Type Confusion in V8 (Chrome's JavaScript engine); target detection at crafted HTML pages triggering V8 type confusion leading to heap corruption
  • CVE-2021-38001 was reported by Google Threat Analysis Group (TAG), suggesting active exploitation in the wild at time of disclosure; prioritize detection and patching accordingly
  • ·No public exploit code, payload hashes, C2 infrastructure, or network indicators were present in the available sources; IOC array is empty as a result
  • ·Debian tracker scopes this as 'local' despite NVD describing a remote attack vector via crafted HTML; verify scope assumptions in your environment

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.