CVE-2021-21148
published 2021-02-09CVE-2021-21148: Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
19.81%
97.1th percentile
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 88.0.4324.150-1 | 88.0.4324.150-1 |
| chromium | chromium | >= 0 < 88.0.4324.150-1 | 88.0.4324.150-1 |
| chromium | chromium | >= 0 < 88.0.4324.150-1 | 88.0.4324.150-1 |
| chromium | chromium | >= 0 < 88.0.4324.150-1 | 88.0.4324.150-1 |
| debian | chromium | < chromium 88.0.4324.150-1 (bookworm) | chromium 88.0.4324.150-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 88.0.4324.150 | 88.0.4324.150 | |
| chrome | >= unspecified < 88.0.4324.150 | 88.0.4324.150 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-21148 is a heap buffer overflow in the V8 JavaScript engine, exploited via a crafted HTML page delivered remotely; detection should focus on Chrome/Edge versions prior to 88.0.4324.150 (Chrome) or 88.0.705.63 (Edge) processing attacker-controlled web content ↗
- →Google confirmed an in-the-wild exploit exists for CVE-2021-21148; treat any Chrome/Edge instance below the patched version as actively at risk ↗
- →The bug was reported on 2021-01-24 and patched 2021-02-04; any exploitation activity observed between those dates should be treated as zero-day usage ↗
- →Exploitation has been attributed to the North Korean Lazarus group; correlate CVE-2021-21148 exploitation indicators with Lazarus TTPs in threat hunting ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Google Chromium V8 Heap Buffer Overflow Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2021-21148 [HIGH] CWE-122 Google Chromium V8 Heap Buffer Overflow Vulnerability
Vulnerability: Google Chromium V8 Heap Buffer Overflow Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-21148
Remediation Due Date: 2021-11-17
Microsoft
Chromium CVE-2021-21148: Heap buffer overflow in V8
vendor_msrc·2021-02-09·CVSS 8.8
CVE-2021-21148 [HIGH] Chromium CVE-2021-21148: Heap buffer overflow in V8
Chromium CVE-2021-21148: Heap buffer overflow in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
This CVE has been reported to be exploited in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
88.0.705.63
2/5/2021
88.0.4324.150
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulne
Chrome
Stable Channel Update for Desktop: CVE-2021-21148
vendor_chrome·2021-02-04·CVSS 8.8
CVE-2021-21148 [HIGH] Stable Channel Update for Desktop: CVE-2021-21148
Stable Channel Update for Desktop
CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24 Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild
Severity: high
Debian
CVE-2021-21148: chromium - Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a rem...
vendor_debian·2021·CVSS 8.8
CVE-2021-21148 [HIGH] CVE-2021-21148: chromium - Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a rem...
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 88.0.4324.150-1)
bullseye: resolved (fixed in 88.0.4324.150-1)
forky: resolved (fixed in 88.0.4324.150-1)
sid: resolved (fixed in 88.0.4324.150-1)
trixie: resolved (fixed in 88.0.4324.150-1)
GHSA
GHSA-6675-f3rx-hqr9: Heap buffer overflow in V8 in Google Chrome prior to 88
ghsa_unreviewed·2022-05-24
CVE-2021-21148 [HIGH] CWE-787 GHSA-6675-f3rx-hqr9: Heap buffer overflow in V8 in Google Chrome prior to 88
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
OSV
CVE-2021-21148: Heap buffer overflow in V8 in Google Chrome prior to 88
osv·2021-02-09·CVSS 8.8
CVE-2021-21148 [HIGH] CVE-2021-21148: Heap buffer overflow in V8 in Google Chrome prior to 88
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
VulnCheck
Google Chromium V8 Heap Buffer Overflow Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-21148 [HIGH] CWE-122 Google Chromium V8 Heap Buffer Overflow Vulnerability
Google Chromium V8 Heap Buffer Overflow Vulnerability
Google Chromium V8 Engine contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2021-11-17
No detection rules found.
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Sentinelone
6 Real-World Threats to Chromebooks and ChromeOS
blogs_sentinelone·2022-01-26·CVSS 9.6
[CRITICAL] 6 Real-World Threats to Chromebooks and ChromeOS
Chromebooks and ChromeOS have earned themselves a deserved reputation for being more secure than many other devices and operating systems, so much so that “Chromebooks don’t get viruses” is the new “Macs don’t get viruses”. But as many Mac users of the past will now tell you today, complacency in taking proper security measures is the first step on the path to compromise.
The popularity of Chromebooks among students and in educational institutions means they provide an enticing target to threat actors looking to scoop up PII for sale, or credentials to leverage in targeted attacks. Chromebooks may not have the same kind or number of security problems as, say, Windows devices, but that’s not to say there are not genuine threats that ChromeOS users need to be aware of.
## 1. Actors Activel
Sentinelone
6 Real-World Threats to Chromebooks and ChromeOS
blogs_sentinelone·2022-01-26·CVSS 9.6
[CRITICAL] 6 Real-World Threats to Chromebooks and ChromeOS
Chromebooks and ChromeOS have earned themselves a deserved reputation for being more secure than many other devices and operating systems, so much so that “Chromebooks don’t get viruses” is the new “Macs don’t get viruses”. But as many Mac users of the past will now tell you today , complacency in taking proper security measures is the first step on the path to compromise.
The popularity of Chromebooks among students and in educational institutions means they provide an enticing target to threat actors looking to scoop up PII for sale, or credentials to leverage in targeted attacks. Chromebooks may not have the same kind or number of security problems as, say, Windows devices, but that’s not to say there are not genuine threats that ChromeOS users need to be aware of .
## 1. Actors Activ
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Top 10 most common families of ransomware Trojans
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Vulnerable applications used by cybercriminals during cyber attacks
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
SSH-based attacks
Threats loaded into traps
Attacks via web resources
Countries that are sources of web-based attacks: Top 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Autho
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2021:
- Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.
- 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.
- Ransomware att
Krebs
Microsoft Patch Tuesday, February 2021 Edition
blogs_krebs·2021-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday, February 2021 Edition
Microsoft today rolled out updates to plug at least 56 security holes in its Windows operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.
Nine of the 56 vulnerabilities earned Microsoft’s most urgent “critical” rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.
The flaw being exploited in the wild already — CVE-2021-1732 — affects Windows 10, Server 2016 and later editions. It received a slightly less dire “important” rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, wh
Krebs
Microsoft Patch Tuesday, February 2021 Edition
blogs_krebs·2021-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday, February 2021 Edition
Microsoft today rolled out updates to plug at least 56 security holes in its Windows operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.
Nine of the 56 vulnerabilities earned Microsoft’s most urgent “critical” rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.
The flaw being exploited in the wild already — CVE-2021-1732 — affects Windows 10, Server 2016 and later editions. It received a slightly less dire “important” rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, wh
Checkpoint
8th February – Threat Intelligence Report
blogs_checkpoint·2021-02-08
CVE-2021-20016 8th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th February, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research have collaborated in a research investigating the renewed activity and toolset of ‘Infy’, an Iranian APT active since 2007. Infy’s targets are found mostly in Sweden, the Netherlands and Turkey, and the group has recently integrated a new second-stage payload called ‘Tonnerre’.
Check Point Anti-Virus
Tenable
CVE-2021-21148: Google Chrome Heap Buffer Overflow Vulnerability Exploited in the Wild
blogs_tenable·2021-02-05·CVSS 8.8
[HIGH] CVE-2021-21148: Google Chrome Heap Buffer Overflow Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Crowdstrike
Patch Tuesday 2021: A Vulnerability Deep Dive
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Patch Tuesday 2021: A Vulnerability Deep Dive
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Crowdstrike
Patch Tuesday 2021: A Vulnerability Deep Dive
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Patch Tuesday 2021: A Vulnerability Deep Dive
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://packetstormsecurity.com/files/162579/Chrome-Array-Transfer-Bypass.htmlhttps://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.htmlhttps://crbug.com/1170176https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ACWYJ74Z3YN2XH4QMUEGNBC3VXX464L/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUQSMNV7INLDDSD3RKI5S5EAULX2QC7P/https://security.gentoo.org/glsa/202104-08https://www.debian.org/security/2021/dsa-4858http://packetstormsecurity.com/files/162579/Chrome-Array-Transfer-Bypass.htmlhttps://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.htmlhttps://crbug.com/1170176https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ACWYJ74Z3YN2XH4QMUEGNBC3VXX464L/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUQSMNV7INLDDSD3RKI5S5EAULX2QC7P/https://security.gentoo.org/glsa/202104-08https://www.debian.org/security/2021/dsa-4858https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21148
2021-02-09
Published
2021-11-03
Added to CISA KEV
Exploited in the wild