V8 TheHole exception-handling bug leading to Chrome renderer RCE
CVE-2021-38003 is an inappropriate implementation flaw in the V8 JavaScript engine affecting Google Chrome prior to 95.0.4638.69. The bug is in V8 exception handling during JSON.stringify(), specifically in the JsonStringifier::SerializeArrayLikeSlow() path. Under an overflow condition reached through IncrementalStringBuilder::Accumulate() via Extend(), the code can return EXCEPTION without first setting pending_exception. Because V8 uses the internal sentinel value TheHole when no exception is pending, later exception handling can expose TheHole to attacker-controlled JavaScript. Public exploitation research showed that leaking TheHole can be abused to corrupt JavaScript Map state, obtain out-of-bounds array access, derive addrof and V8 heap read/write primitives, and ultimately achieve arbitrary write. In Chromium-based browsers this can be turned into renderer remote code execution from a crafted HTML page. Google reported exploitation in the wild.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a working exploit for CVE-2021-38003, a remote code execution vulnerability in the V8 JavaScript engine used by Google Chrome. The structure consists of an HTML file (exp.html) that acts as the main entry point, and two JavaScript files (wps2.js, wps3.js) that implement the exploit logic and payload. The exploit leverages a vulnerability in V8 to achieve arbitrary read/write primitives, then uses WebAssembly to allocate RWX memory and injects x86 shellcode for execution. The shellcode is embedded as a byte array in the JavaScript files. The exploit is operational and demonstrates full code execution in the browser context, requiring the user to open the HTML file in a vulnerable version of Chrome. No external network endpoints or domains are hardcoded; the exploit is self-contained and targets the local browser process.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Unknown (only referenced in related content; described as having exploits in the wild).
A vulnerability due to inappropriate implementation in V8 JavaScript engine in Google Chrome, exploited by Predator spyware.
One of five zero-day vulnerabilities reportedly exploited in an exploit chain to deliver the ALIEN implant; affects Google Chrome.
A V8 JavaScript engine vulnerability in Chrome/Chromium involving leakage of the internal TheHole value via JSON.stringify exception handling, which can be exploited to achieve renderer remote code execution.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.