← back
CVE-2021-21220

CVE-2021-21220

CVSS 8.8 HIGHEPSS 70.4%● KEVCWE-787
In short

Google Chrome's V8 engine did not properly validate untrusted input, allowing attackers to corrupt memory on a victim's computer through a specially crafted webpage. This could lead to crashes or potentially malicious code execution.

Technical detail

CWE-787 (out-of-bounds write) in V8 engine due to insufficient input validation. Remote attack vector via crafted HTML; no user interaction beyond visiting a malicious page required. Successful exploitation results in heap corruption, enabling potential code execution with renderer process privileges.

Summary generated and translated by AI from the official description.
Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Google · Chrome
public PoCs found6
githubgithub.com/AmesianX/CVE-2021-212201githubgithub.com/JacobTaylor3/CVE-2021-212200githubgithub.com/JacobTaylor3/C2-and-Post-Exploitation-Framework0githubgithub.com/borahll/CVE-2021-212200cve_referencepacketstormsecurity.com/files/162437/Google-Chrome-XOR-Typer-Out-Of-Bounds-Access-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/176210/Chrome-V8-JIT-XOR-Arbitrary-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/162437/Google-Chrome-XOR-Typer-Out-Of-Bounds-Access-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/176210/Chrome-V8-JIT-XOR-Arbitrary-Code-Execution.htmlhttps://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.htmlhttps://crbug.com/1196683https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A/https://security.gentoo.org/glsa/202104-08https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21220