Vulnerability Detail
Enriched intelligence for a single CVE
High
CVE-2021-21220
PUBLISHEDInsufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap...
- Vendor
- Product
- Chrome
- Published
- Apr 26, 2021
- EPSS
- —
Automate This Intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Weaknesses (CWE)
-
Out-of-bounds Write
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV:N/AC:M/Au:N/C:P/I:P/A:P
Exploitation Status
Exploited in the wild
Recorded 2021-11-03 00:00:00 UTC · CISA
Proof of concept available
Recorded 2021-09-15 03:11:41 UTC · GitHub
References
- https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html
- https://crbug.com/1196683
- https://security.gentoo.org/glsa/202104-08
- http://packetstormsecurity.com/files/162437/Google-Chrome-XOR-Typer-Out-Of-Bounds-Access-Remote-Code-Execution.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY/
- http://packetstormsecurity.com/files/176210/Chrome-V8-JIT-XOR-Arbitrary-Code-Execution.html
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA First | 2021-11-03 00:00 UTC |
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation.rb | Apr 28, 2025 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2021-09-15 03:11:41 UTC · 9 stars
metasploit · Created Unknown
Metasploit module for CVE-2021-21220
Timeline
-
Detected by Metasploit
-
Added to KEVIntel
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
CVE ID Reserved