Cyber Resilience

CVE-2021-21220

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 April 2021

Published
26 April 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9124 99.7th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21220 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an out-of-bounds write issue (CWE-787) stemming from insufficient validation of untrusted input in the V8 JavaScript engine within Google Chrome versions prior to 89.0.4389.128. It affects the browser's handling of crafted web content and carries a CVSS 3.1 base score of 8.8.

A remote attacker can exploit the flaw by serving a malicious HTML page to a victim, triggering heap corruption that may allow arbitrary code execution with the privileges of the Chrome process. User interaction is required in the form of visiting the page, after which the attacker could achieve full confidentiality, integrity, and availability impact.

Chrome stable channel updates and distribution advisories such as the Fedora package announcement direct users to upgrade immediately to version 89.0.4389.128 or later to address the issue. Public exploit code demonstrating remote code execution via the V8 JIT component has been published on Packet Storm.

The associated Chromium bug tracker entry provides additional technical details for analysts reviewing patch diffs or memory safety improvements in V8.

EU & UK References

Vulnerability details

Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 89.0.4389.128
fedoraproject
fedora
32, 33, 34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input, which is the root cause of the V8 out-of-bounds write on crafted HTML.

prevent

Mandates timely application of the Chrome 89.0.4389.128 patch that eliminates the V8 heap-corruption flaw.

prevent

Requires memory-protection mechanisms that can block exploitation of the resulting heap corruption even if input validation fails.

References