What is Chrome Intents?
Chrome's Intents mechanism handles intent:// URI schemes, which allow web pages to launch Android applications or trigger specific behaviors through the Android Intent system. When Chrome processes an intent:// URL, it can navigate to specific content or launch applications on Android, and on desktop platforms the Intents system controls how Chrome handles navigation to certain URI schemes. Insufficient validation of the target URI in the Intents handling code can result in open redirect vulnerabilities — where an attacker can craft a web page that forces Chrome to navigate the user to an arbitrary attacker-controlled URL, bypassing the user's intent and potentially delivering phishing pages, malicious downloads, or other content from attacker infrastructure.
Overview
CVE-2021-38000 is an improper input validation vulnerability (CWE-601, URL Redirect to Untrusted Site) in Chrome's Intents handling. Insufficient validation allows a remote attacker to force Chrome to navigate to an arbitrary malicious URL via a crafted HTML page. The Scope: Changed (S:C) classification reflects that the navigation crosses from the attacker's page context to an attacker-controlled destination — affecting resources outside the original page's security context. Google patched CVE-2021-38000 in Chrome 95.0.4638.69 (October 28, 2021), confirming exploitation in the wild. It was patched in the same release as CVE-2021-38003 (V8 type confusion), and both were used in active exploits. CISA added it to the KEV catalog in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Chrome before 95.0.4638.69 | Yes | Chrome 95.0.4638.69 (October 28, 2021) |
| Microsoft Edge (Chromium) before equivalent | Yes | Edge update following Chrome 95 |
| Other Chromium-based browsers | Yes | Corresponding vendor updates |
Technical Details
- Root cause: Improper input validation (CWE-601) in Chrome's Intents URL handling — the browser does not properly validate or sanitize the destination URL in intent:// or similar URI handling, allowing an attacker-controlled page to force navigation to an arbitrary URL without user awareness or consent
- Open redirect exploitation: The vulnerability is used to force navigation to attacker-controlled pages that appear to come from a legitimate context; combined with a renderer exploit (such as CVE-2021-38003), the forced navigation can deliver exploit payloads in a context that bypasses URL-based filtering or content security policies
- Scope: Changed (S:C): The navigation crosses from the originating page's security context into an attacker-controlled domain — the browser's security context changes, potentially bypassing site-specific security controls
- Exploit chain partner: CVE-2021-38000 (forced navigation) was patched in the same Chrome release as CVE-2021-38003 (V8 type confusion RCE), strongly suggesting they were used together in an exploit chain: CVE-2021-38000 navigates the victim to attacker-controlled content, and CVE-2021-38003 executes code in the renderer upon arrival
- Limited direct impact: CWE-601 URL redirects have modest standalone CVSS scores; their true danger is as components of exploit delivery chains where redirecting to attacker-controlled content enables the delivery of more severe exploits
Discovery
Reported to Google as an in-the-wild zero-day and patched in Chrome 95.0.4638.69 alongside CVE-2021-38003. The simultaneous patching of a navigation vulnerability (38000) and a code execution vulnerability (38003) indicates they were components of a single observed exploit chain. CISA's November 2021 KEV addition reflects active exploitation in targeted campaigns.
Exploitation Context
Chrome open redirect/forced navigation vulnerabilities are used as delivery mechanisms in browser exploit chains. By forcing navigation to an attacker-controlled URL, CVE-2021-38000 allows attackers to deliver subsequent exploit stages (like CVE-2021-38003's V8 type confusion) from infrastructure they control, enabling delivery filtering, target validation, and payload staging. The November 2021 CISA KEV addition (before the November 23 CVE publication date) reflects that CISA had intelligence on active exploitation before the formal CVE was published.
Remediation
- Update Chrome to 95.0.4638.69 or later — any current Chrome release contains the fix
- Update all Chromium-based browsers separately (Edge, Opera, Brave, etc.)
- Enable automatic Chrome updates and verify enterprise policies don't block update delivery
- Apply both Chrome 95.0.4638.69 patches: CVE-2021-38000 (Intents navigation) and CVE-2021-38003 (V8 type confusion) are addressed in the same release
- Enable Enhanced Safe Browsing in Chrome to improve detection of malicious pages used in forced navigation attacks
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-38000 |
| Vendor / Product | Google — Chromium Intents |
| NVD Published | 2021-11-23 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 6.1 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Severity | MEDIUM |
| CWE | CWE-601 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-10-28 | Google releases Chrome 95.0.4638.69 patching CVE-2021-38000 and CVE-2021-38003 — both confirmed exploited in the wild |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
| 2021-11-23 | CVE published |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — Chrome 95.0.4638.69 | Vendor Advisory |
| NVD — CVE-2021-38000 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |