Exploitation Summary
CVE-2021-38000 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021.
Description
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
References (5)
Core 5
Core References
Release Notes x_refsource_misc
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
Exploit, Issue Tracking x_refsource_misc
https://crbug.com/1249962
Release Notes vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5046
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38000
Scores
CVSS v3
6.1
EPSS
0.0417
EPSS Percentile
89.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
partial
Details
CISA KEV
2021-11-03
VulnCheck KEV
2021-09-15
InTheWild.io
2021-09-15
ENISA EUVD
EUVD-2021-24473
CWE
CWE-20
CWE-601
Status
published
Products (4)
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/fedora
34
google/chrome
< 95.0.4638.69
Published
Nov 23, 2021
KEV Added
Nov 03, 2021
Tracked Since
Feb 18, 2026