Cyber Resilience

CVE-2021-30551

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 June 2021

Published
15 June 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8222 99.2th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30551 is a high-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability CVE-2021-30551 is a type confusion flaw in the V8 JavaScript engine of Google Chrome versions prior to 91.0.4472.101. It is tracked under CWE-843 and rated 8.8 on CVSS 3.1, reflecting network attack vectors with low complexity.

A remote attacker can exploit the issue by delivering a crafted HTML page, which may trigger heap corruption and allow impacts to confidentiality, integrity, and availability on the affected system.

Chrome release notes and downstream advisories from Fedora and Gentoo direct users to apply the stable channel update to version 91.0.4472.101 or later to address the flaw.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 91.0.4472.101
fedoraproject
fedora
33, 34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Chrome 91.0.4472.101 (or later) patch that eliminates the type-confusion flaw in V8.

SC-18 Mobile Code partial match
prevent

Imposes usage restrictions and sandboxing on mobile code (JavaScript) executed by the browser, limiting the attack surface that triggers the V8 flaw.

preventdetect

Deploys malicious-code detection mechanisms that can block or alert on crafted HTML pages attempting to exploit the heap-corruption vulnerability.

References