Cyber Resilience

CVE-2021-30632

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 08 October 2021

Published
08 October 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8378 99.3th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30632 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2021-30632 is an out-of-bounds write vulnerability in the V8 JavaScript engine affecting Google Chrome versions prior to 93.0.4577.82. The flaw is classified under CWE-787 and carries a CVSS 3.1 score of 8.8, indicating high impact on confidentiality, integrity, and availability.

A remote attacker can exploit the issue by serving a crafted HTML page to a victim, triggering heap corruption in the browser's JavaScript execution environment without requiring authentication.

Chrome stable channel updates and corresponding Fedora package advisories recommend upgrading to version 93.0.4577.82 or later to address the vulnerability. Public references also include a Chromium bug tracker entry and a technical report describing a JIT compiler type confusion trigger.

The provided Packet Storm reference points to a proof-of-concept exploit targeting the same code path.

EU & UK References

Vulnerability details

Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 93.0.4577.82
fedoraproject
fedora
33, 35

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches to eliminate the out-of-bounds write flaw in V8 before a crafted HTML page can trigger heap corruption.

SC-18 Mobile Code partial match
prevent

Controls the execution and behavior of mobile code (JavaScript) that an attacker uses to reach the vulnerable JIT/type-confusion path in Chrome.

prevent

Enforces configuration settings that mandate an updated Chrome version, preventing use of builds containing the V8 memory-corruption flaw.

References