What is Google Chrome V8?
V8 is Google's open-source JavaScript and WebAssembly engine, written in C++, that powers Google Chrome, Microsoft Edge (Chromium-based), Opera, Brave, and virtually every modern Chromium-based browser. V8 compiles JavaScript to machine code at runtime using JIT (just-in-time) compilation, manages memory through garbage collection, and implements the entire JavaScript language specification. As the engine that executes untrusted JavaScript from every web page a user visits, V8 is a high-value target: memory corruption vulnerabilities in V8 can be exploited remotely through a malicious webpage with no user action beyond visiting the page (User Interaction: Required means the user must navigate to the page, not that they must click anything specific).
Overview
CVE-2021-38003 is a memory corruption vulnerability (CWE-755: Improper Handling of Exceptional Conditions) in the V8 JavaScript engine's JSON.stringify implementation. V8 uses an internal sentinel value called "TheHole" to represent empty slots in JavaScript arrays (sparse arrays). When JSON.stringify encounters a TheHole value in certain code paths, it fails to handle this exceptional internal state correctly — allowing the TheHole value to "leak" into JavaScript code that should never see it. Attacker-supplied JavaScript can then use this leaked internal value to cause type confusion and memory corruption, enabling code execution within the Chrome renderer process.
Google patched this as a zero-day in Chrome 95.0.4638.69 on November 1, 2021. CISA added it to KEV two days later — before the formal CVE number was even published to NVD (which happened on November 23, 2021, three weeks after the patch).
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome before 95.0.4638.69 | Yes | 95.0.4638.69 |
| Microsoft Edge (Chromium-based) before equivalent update | Yes | Chromium-based Edge update |
| Other Chromium-based browsers | Yes | Depends on browser update cadence |
Technical Details
- Root cause: Improper handling of exceptional conditions (CWE-755) — V8's
JSON.stringifyfunction fails to handle the internal TheHole sentinel value correctly when it encounters one in a JavaScript array - TheHole explained: V8 uses a special internal value called "TheHole" to represent empty (uninitialized) slots in sparse arrays — e.g.,
const a = [1, , 3]has a TheHole at index 1. This value is meant to be invisible to JavaScript code and handled entirely within V8's internals - The leak: A bug in
JSON.stringifyallows TheHole to escape from V8's internal representation into user-accessible JavaScript data, creating a type confusion condition - Exploitation: Once TheHole is accessible to attacker-controlled JavaScript, it can be used to confuse V8's type system, leading to out-of-bounds reads/writes in V8's heap — a classic V8 exploitation primitive for achieving renderer code execution
- Renderer sandbox: Code execution in V8 reaches the Chrome renderer process, which is sandboxed. Full browser exploitation typically chains a V8 bug with a separate sandbox escape — though the V8 bug alone is sufficient to steal data from the current browser session
- User interaction: The user must navigate to a malicious page or open a malicious HTML document — no further interaction is required beyond that
Discovery
Reported to Google by security researchers. The zero-day was being actively exploited in the wild when Google released the patch — the nature and targets of the exploitation were not publicly disclosed, but the combination of active exploitation and the tight CISA KEV addition (two days after the patch) suggests targeted use rather than mass exploitation.
Exploitation Context
Chrome zero-days in V8 are highly valued by advanced threat actors including nation-state groups and commercial spyware vendors. The typical exploitation chain: deliver a malicious webpage or HTML file (via phishing, drive-by download, or watering hole attack), exploit CVE-2021-38003 for renderer code execution, then chain with a separate sandbox escape for full OS access. CISA's rapid addition to KEV (November 3, two days after the November 1 patch) underscores confirmed active exploitation before the formal CVE was even published. 2021 was a particularly active year for Chrome zero-days, with over a dozen patched during the year.
Remediation
- Update Google Chrome to 95.0.4638.69 or later — or any current Chrome stable release
- Enable automatic Chrome updates: Chrome menu → Help → About Google Chrome (triggers update check)
- Update all Chromium-based browsers (Microsoft Edge, Brave, Opera) — each has its own update cycle but all required patching their V8 version
- For enterprise environments: use Google Update or Microsoft Endpoint Manager to push Chrome/Edge updates centrally
- Consider enabling Chrome's Enhanced Safe Browsing for additional protection against malicious pages
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-38003 |
| Vendor / Product | Google — Chromium V8 |
| NVD Published | 2021-11-23 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-755 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-11-01 | Google releases Chrome 95.0.4638.69, patching CVE-2021-38003 as a zero-day actively exploited in the wild |
| 2021-11-03 | CISA adds CVE-2021-38003 to Known Exploited Vulnerabilities catalog — two days after the patch |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
| 2021-11-23 | CVE formally published to NVD — three weeks after the patch and KEV addition |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — November 1, 2021 (95.0.4638.69) | Vendor Advisory |
| NVD — CVE-2021-38003 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |