Cyber Resilience

CVE-2021-38003

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 23 November 2021

Published
23 November 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.6419 98.5th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-38003 is a high-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Debian Debian Linux. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

The vulnerability is an inappropriate implementation in the V8 JavaScript engine within Google Chrome versions prior to 95.0.4638.69. It is tracked as CVE-2021-38003 with a CVSS score of 8.8 and is associated with CWE-755, allowing potential heap corruption when a victim renders a specially crafted HTML page.

A remote attacker can exploit the flaw without authentication by serving the malicious page to a target user, who needs only to visit it in an affected browser. Successful exploitation can result in heap corruption that compromises confidentiality, integrity, and availability on the affected system.

Chrome release notes and corresponding advisories from Fedora and Debian indicate that the issue is resolved by updating to version 95.0.4638.69 or later; distribution-specific packages were made available to facilitate deployment of the patched builds.

EU & UK References

Vulnerability details

Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 95.0.4638.69
fedoraproject
fedora
34
debian
debian linux
10.0, 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification and installation of security-relevant patches such as the Chrome 95.0.4638.69 update that eliminates the V8 heap-corruption flaw.

prevent

Enforces configuration settings that mandate approved, current browser versions, thereby blocking execution of the vulnerable V8 engine on crafted HTML pages.

detect

Requires scanning to discover instances of Chrome < 95.0.4638.69 so the specific heap-corruption vulnerability can be located and remediated before exploitation.

References