CVE-2021-38003

Published Nov 23, 2021

Last updated 9 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2021-38003 is a vulnerability affecting Google Chrome's V8 JavaScript engine. Disclosed in October 2021, the vulnerability exists due to an inappropriate implementation in V8. It impacts Chrome versions prior to 95.0.4638.69. The vulnerability stems from how V8 handles exceptions in JSON.stringify(). Specifically, the `JsonStringifier::SerializeObject()` function doesn't properly set the pending exception before returning. This can lead to a special V8 value called "TheHole" being leaked to the script. This leakage violates Chrome's source code assumptions, potentially causing memory corruption and enabling a remote attacker to exploit heap corruption via a crafted HTML page.

Description: Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Source: chrome-cve-admin@google.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 6.8
Impact score: 6.4
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:P/A:P

Known exploits

Data from CISA

Vulnerability name: Google Chromium V8 Memory Corruption Vulnerability
Exploit added on: Nov 3, 2021
Exploit action due: Nov 17, 2021
Required action: Apply updates per vendor instructions.

Weaknesses

nvd@nist.gov: CWE-755
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-755

Hype score: Not currently trending

in addition to the YouTube app, Netflix for PS4/PS5 could probably be used as an entry point leveraging CVE-2024-4701 bug to gain remote code execution but CVE-2021-38003 could be the best option according to autechre (previously known as moogie from the PS3 jailbreaking scene)
@BrutalSam_
17 Oct 2025
25097 Impressions
18 Retweets
263 Likes
43 Bookmarks
9 Replies
4 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B625BE9F-2418-44C9-8974-DFD6430CBD46",
            "versionEndExcluding": "95.0.4638.69"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.