CVE-2021-38003

HIGH KEV

Google Chrome <95.0.4638.69 - Heap Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-38003 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 1 public exploit from researchers including SpiralBL0CK.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-38003, targeting a V8 engine vulnerability in Chrome. The exploit includes shellcode and memory manipulation techniques to achieve remote code execution (RCE).

Description

Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Exploits (1)

nomisec WORKING POC 38 stars
by SpiralBL0CK · client-side
https://github.com/SpiralBL0CK/Chrome-V8-RCE-CVE-2021-38003

This repository contains a functional exploit for CVE-2021-38003, targeting a V8 engine vulnerability in Chrome. The exploit includes shellcode and memory manipulation techniques to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome (V8 engine)
No auth needed
Prerequisites: Victim must visit a malicious webpage or execute the JavaScript payload
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.3624
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-10-26
InTheWild.io 2021-10-26
ENISA EUVD EUVD-2021-24476
CWE
CWE-755
Status published
Products (4)
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 34
google/chrome < 95.0.4638.69
Published Nov 23, 2021
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026