CVE-2021-38000: 
vulnerability analysis and mitigation

CVE-2021-38000 is a security vulnerability discovered in Google Chrome on Android prior to version 95.0.4638.69. The vulnerability stems from insufficient validation of untrusted input in Intents, which allowed remote attackers to arbitrarily redirect the browser to malicious URLs through crafted HTML pages (NVD, Chrome Releases).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impacts on both confidentiality and integrity, but no impact on availability (NVD).

When successfully exploited, the vulnerability allows an attacker to redirect users to malicious URLs through specially crafted HTML pages, potentially leading to phishing attacks or other malicious activities. The vulnerability affects the confidentiality and integrity of the system with low severity (Hacker News).

Google has released a patch in Chrome version 95.0.4638.69 to address this vulnerability. Users are strongly advised to update their Chrome browsers to this version or later. The fix has also been incorporated into various Linux distributions, including Debian and Fedora (Debian Advisory, Fedora Update).