Cyber Resilience

CVE-2021-21148

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 09 February 2021

Published
09 February 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2231 95.9th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21148 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2021-21148 is a heap buffer overflow vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 88.0.4324.150. The flaw, classified under CWE-787 as an out-of-bounds write, resides in the handling of certain JavaScript operations that can lead to heap corruption when processing untrusted input.

A remote attacker can exploit the issue by serving a specially crafted HTML page to a victim, triggering the overflow during V8 execution. With a CVSS score of 8.8, successful exploitation could allow arbitrary code execution or full compromise of the browser process, affecting confidentiality, integrity, and availability without requiring authentication.

Advisories from the Chrome release notes and Fedora package lists recommend immediate upgrade to Chrome 88.0.4324.150 or later stable builds, with corresponding updates distributed through standard channels for affected Linux distributions. A proof-of-concept exploit referencing array transfer bypass techniques has been published, indicating public availability of attack code shortly after disclosure.

EU & UK References

Vulnerability details

Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 88.0.4324.150
fedoraproject
fedora
32, 33
debian
debian linux
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor-supplied patch that eliminates the heap buffer overflow in V8.

prevent

Enforces configuration settings that mandate current, patched browser versions and restrict execution of untrusted JavaScript.

preventdetect

Provides malicious-code protections that can block or alert on crafted HTML pages attempting to trigger the V8 flaw.

References