Cyber Resilience

CVE-2021-38000

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 23 November 2021

Published
23 November 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0417 88.9th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-38000 is a medium-severity Open Redirect (CWE-601) vulnerability in Debian Debian Linux. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2021-38000 stems from insufficient validation of untrusted input in Intents in Google Chrome on Android prior to version 95.0.4638.69. It is tracked under CWE-601 and CWE-20 and carries a CVSS 3.1 score of 6.1 reflecting network attack vector, low complexity, no required privileges, required user interaction, and changed scope with limited confidentiality and integrity impact.

A remote attacker can exploit the flaw by serving a crafted HTML page that triggers an arbitrary redirect of the victim's browser to a malicious URL. The attack succeeds without further privileges once the page is rendered, allowing the adversary to direct users to attacker-controlled destinations.

Chrome release notes and distribution advisories state that the issue is resolved by updating to Chrome 95.0.4638.69 or later; Fedora and Debian have issued corresponding package updates to enforce the patched version. No information on observed in-the-wild exploitation is supplied in the referenced sources.

EU & UK References

Vulnerability details

Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 95.0.4638.69
fedoraproject
fedora
34
debian
debian linux
10.0, 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input to block the crafted Intent/URL that triggers the open redirect.

prevent

Mandates timely application of the Chrome 95.0.4638.69 patch that eliminates the insufficient validation flaw.

prevent

Enforces information-flow rules that can restrict unauthorized URL redirects originating from untrusted web content.

References