CVE-2021-38001
published 2021-11-23CVE-2021-38001: Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
26.70%
97.8th percentile
Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 97.0.4692.71-0.1~deb11u1 | 97.0.4692.71-0.1~deb11u1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| chromium | chromium | >= 0 < 97.0.4692.71-0.1 | 97.0.4692.71-0.1 |
| debian | chromium | < chromium 97.0.4692.71-0.1 (bookworm) | chromium 97.0.4692.71-0.1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 95.0.4638.69 | 95.0.4638.69 | |
| chrome | >= unspecified < 95.0.4638.69 | 95.0.4638.69 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is a Type Confusion in V8 (Chrome's JavaScript engine); target detection at crafted HTML pages triggering V8 type confusion leading to heap corruption ↗
- →CVE-2021-38001 was reported by Google Threat Analysis Group (TAG), suggesting active exploitation in the wild at time of disclosure; prioritize detection and patching accordingly ↗
- ·No public exploit code, payload hashes, C2 infrastructure, or network indicators were present in the available sources; IOC array is empty as a result ↗
- ·Debian tracker scopes this as 'local' despite NVD describing a remote attack vector via crafted HTML; verify scope assumptions in your environment ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pp89-rwqv-pgh4: Type confusion in V8 in Google Chrome prior to 95
ghsa_unreviewed·2021-11-24
CVE-2021-38001 [HIGH] CWE-843 GHSA-pp89-rwqv-pgh4: Type confusion in V8 in Google Chrome prior to 95
Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
OSV
CVE-2021-38001: Type confusion in V8 in Google Chrome prior to 95
osv·2021-11-23·CVSS 8.8
CVE-2021-38001 [HIGH] CVE-2021-38001: Type confusion in V8 in Google Chrome prior to 95
Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Chrome
Stable Channel Update for Desktop: CVE-2021-37999
vendor_chrome·2021-10-28·CVSS 6.1
CVE-2021-37999 [HIGH] Stable Channel Update for Desktop: CVE-2021-37999
Stable Channel Update for Desktop
CVE-2021-37999: Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21 [$N/A][ 1249962 ] High CVE-2021-38000 : Insufficient validation of untrusted input in Intents
Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15 [$N/A][ 1260577 ] High CVE-2021-38001 : Type Confusion in V8
Severity: high
Microsoft
Chromium: CVE-2021-38001 Type Confusion in V8
vendor_msrc·2021-10-12·CVSS 8.8
CVE-2021-38001 [HIGH] Chromium: CVE-2021-38001 Type Confusion in V8
Chromium: CVE-2021-38001 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
95.0.1020.40
10/29/2021
95.0.4638.69
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Mi
Debian
CVE-2021-38001: chromium - Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote att...
vendor_debian·2021·CVSS 8.8
CVE-2021-38001 [HIGH] CVE-2021-38001: chromium - Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote att...
Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 97.0.4692.71-0.1)
bullseye: resolved (fixed in 97.0.4692.71-0.1~deb11u1)
forky: resolved (fixed in 97.0.4692.71-0.1)
sid: resolved (fixed in 97.0.4692.71-0.1)
trixie: resolved (fixed in 97.0.4692.71-0.1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.htmlhttps://crbug.com/1260577https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/https://www.debian.org/security/2022/dsa-5046https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.htmlhttps://crbug.com/1260577https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/https://www.debian.org/security/2022/dsa-5046
2021-11-23
Published