cbcvebase.
CVE-2021-38003
published 2021-11-23

CVE-2021-38003: Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…

PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
36.24%
98.3th percentile
Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

11 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 97.0.4692.71-0.1~deb11u197.0.4692.71-0.1~deb11u1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
debianchromium< chromium 97.0.4692.71-0.1 (bookworm)chromium 97.0.4692.71-0.1 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
googlechrome< 95.0.4638.6995.0.4638.69
googlechrome>= unspecified < 95.0.4638.6995.0.4638.69
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2021-38003 is a V8 engine bug where the internal TheHole value can leak to script code via JSON.stringify, causing memory corruption — detection should focus on anomalous JSON.stringify usage or V8 heap corruption indicators in Chrome/Edge/Opera prior to version 95.0.4638.69
  • CVE-2021-38003 was exploited in the wild as part of a chained exploit sequence (alongside CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-1048) to deliver the ALIEN/PREDATOR Android spyware implant — correlate Chrome exploit activity with subsequent Android process anomalies in zygote64, system_server, installd, or audioserver
  • Monitor Android processes for unexpected injection into zygote64, system_server, installd, audioserver — these are the specific process names targeted by the ALIEN spyware component delivered via CVE-2021-38003 exploit chain
  • Google confirms exploits for CVE-2021-38003 exist in the wild; any Chrome/Edge/Opera instance below version 95.0.4638.69 (Chrome) or 95.0.1020.40 (Edge) should be treated as actively exploitable
  • ·The vulnerability could affect multiple web browsers that utilize Chromium, not limited to Chrome and Edge — scope of affected products is broad

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.