CVE-2021-30563
Published: 03 August 2021
Summary
CVE-2021-30563 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 13.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-30563 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 91.0.4472.164. The flaw resides in how V8 handles certain object types, which can lead to heap corruption when processing specially crafted input.
A remote attacker can exploit the issue by serving a malicious HTML page to a victim. With no privileges required and only user interaction needed to visit the page, successful exploitation grants the attacker the ability to corrupt heap memory, potentially resulting in arbitrary code execution with impacts to confidentiality, integrity, and availability.
Chrome stable channel updates released on 2021-07-20 address the vulnerability by updating V8 to a corrected version. The issue is also tracked in the Chromium bug tracker and appears in CISA's catalog of known exploited vulnerabilities, confirming active in-the-wild exploitation.
The high CVSS score of 8.8 reflects the combination of network attack vector, low complexity, and full impact potential when user interaction occurs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17483
Vulnerability details
Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Chrome 91.0.4472.164 update that corrects the V8 type-confusion flaw before exploitation can succeed.
Mandates memory-protection techniques (DEP, ASLR, sandboxing) that block or contain the heap corruption resulting from the type-confusion condition.
Requires process isolation (Chrome renderer/sandbox separation) that limits the blast radius of successful V8 heap corruption to the compromised renderer process.