CVE-2021-21224
Published: 26 April 2021
Summary
CVE-2021-21224 is a high-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability CVE-2021-21224 is a type confusion flaw (CWE-843) in the V8 JavaScript engine of Google Chrome versions prior to 90.0.4430.85. It received a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
A remote attacker can exploit the issue by delivering a crafted HTML page that triggers the type confusion, resulting in arbitrary code execution inside the renderer sandbox. The attack requires the victim to load the malicious page in an affected browser but needs no additional privileges or authentication.
Chrome release notes and associated advisories direct users to upgrade immediately to version 90.0.4430.85 or newer. Downstream distributions such as Fedora have published corresponding package updates to apply the same fix.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-8615
Vulnerability details
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that eliminates the type-confusion flaw in V8.
Requires policy and technical controls governing execution of mobile code (JavaScript) that is the attack vector for this V8 flaw.
Enforces process isolation boundaries that limit the impact of code executed inside the renderer sandbox after exploitation.