CVE-2021-30551
Published: 15 June 2021
Summary
CVE-2021-30551 is a high-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability CVE-2021-30551 is a type confusion flaw in the V8 JavaScript engine of Google Chrome versions prior to 91.0.4472.101. It is tracked under CWE-843 and rated 8.8 on CVSS 3.1, reflecting network attack vectors with low complexity.
A remote attacker can exploit the issue by delivering a crafted HTML page, which may trigger heap corruption and allow impacts to confidentiality, integrity, and availability on the affected system.
Chrome release notes and downstream advisories from Fedora and Gentoo direct users to apply the stable channel update to version 91.0.4472.101 or later to address the flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17472
Vulnerability details
Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Chrome 91.0.4472.101 (or later) patch that eliminates the type-confusion flaw in V8.
Imposes usage restrictions and sandboxing on mobile code (JavaScript) executed by the browser, limiting the attack surface that triggers the V8 flaw.
Deploys malicious-code detection mechanisms that can block or alert on crafted HTML pages attempting to exploit the heap-corruption vulnerability.