⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-38003 — Improper Handling of Exceptional Conditions in Google Chrome

CWE-755 — Improper Handling of Exceptional Conditions CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write16 documents11 sources

Severity

8.8HIGHNVD

EPSS

68.3%

top 1.39%

CISA KEV

KEV

Added 2021-11-03

Due 2021-11-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Google Chrome Chromium Debian Chromium +3 more

Timeline

KEV addedNov 3

KEV dueNov 17

PublishedNov 23

Latest updateDec 3

CISA Required Action: Apply updates per vendor instructions.

Description

Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5google/chromeunspecified — 95.0.4638.69

▶NVDgoogle/chrome< 95.0.4638.69

▶debiandebian/chromium< chromium 97.0.4692.71-0.1 (bookworm)

▶Debianchromium/chromium< 97.0.4692.71-0.1~deb11u1+3

▶msrcmsrc/microsoft_edge

Also affects: Debian Linux 10.0, 11.0, Fedora 34

🔴Vulnerability Details

Project0

The More You Know, The More You Know You Don’t Know - Project Zero↗2022-04-01

▶

GHSA

GHSA-4xx3-xg55-3wr5: Inappropriate implementation in V8 in Google Chrome prior to 95↗2021-11-24

▶

OSV

CVE-2021-38003: Inappropriate implementation in V8 in Google Chrome prior to 95↗2021-11-23

▶

VulnCheck

Google Chromium V8 Memory Corruption Vulnerability↗2021

▶

Project0

Project Zero RCA: CVE-2022-1364: Inconsistent Object Materialization in V8↗

▶

📋Vendor Advisories

CISA

Google Chromium V8 Memory Corruption Vulnerability↗2021-11-03

▶

Microsoft

Chromium: CVE-2021-38003 Inappropriate implementation in V8↗2021-10-12

▶

Debian

CVE-2021-38003: chromium - Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowe...↗2021

▶

🕵️Threat Intelligence

Mandiant

Intellexa’s Prolific Zero-Day Exploits Continue↗2025-12-03

▶

Mandiant

Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue↗2025-12-03

▶

Talos

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware↗2023-05-25

▶

Talos

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware↗2023-05-25

▶

Qualys

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys↗2022-02-23

▶