CVE-2021-38003
high
KEV
CVSS v3
—
CVSS v2
—
VIR risk
9.5
Description
Google Chromium V8 Engine has a bug in JSON.stringify, where the internal TheHole value can leak to script code, causing memory corruption. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CISA KEV
- Vendor
- Product
- Chromium V8
- Due date
- 2021-11-17
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2021-38003
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-38003
Vendor advisory: arch — https://security.archlinux.org/ASA-202110-7
Vendor advisory: arch — https://security.archlinux.org/ASA-202112-1
Exploits
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 5.0.2497.24-1 | |
| debian | bookworm | fixed | 97.0.4692.71-0.1 |
| debian | bullseye | fixed | 97.0.4692.71-0.1~deb11u1 |
| debian | forky | fixed | 97.0.4692.71-0.1 |
| debian | sid | fixed | 97.0.4692.71-0.1 |
| debian | trixie | fixed | 97.0.4692.71-0.1 |
References
Verify integrity in audit chain (admin only). AS-IS.