Cyber Resilience

CVE-2021-30563

HighCISA KEVActive ExploitationEUVD Exploited

Published: 03 August 2021

Published
03 August 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0265 86.1th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30563 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 13.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-30563 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 91.0.4472.164. The flaw resides in how V8 handles certain object types, which can lead to heap corruption when processing specially crafted input.

A remote attacker can exploit the issue by serving a malicious HTML page to a victim. With no privileges required and only user interaction needed to visit the page, successful exploitation grants the attacker the ability to corrupt heap memory, potentially resulting in arbitrary code execution with impacts to confidentiality, integrity, and availability.

Chrome stable channel updates released on 2021-07-20 address the vulnerability by updating V8 to a corrected version. The issue is also tracked in the Chromium bug tracker and appears in CISA's catalog of known exploited vulnerabilities, confirming active in-the-wild exploitation.

The high CVSS score of 8.8 reflects the combination of network attack vector, low complexity, and full impact potential when user interaction occurs.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 91.0.4472.164

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Chrome 91.0.4472.164 update that corrects the V8 type-confusion flaw before exploitation can succeed.

prevent

Mandates memory-protection techniques (DEP, ASLR, sandboxing) that block or contain the heap corruption resulting from the type-confusion condition.

prevent

Requires process isolation (Chrome renderer/sandbox separation) that limits the blast radius of successful V8 heap corruption to the compromised renderer process.

References