cbcvebase.
CVE-2021-21220
published 2021-04-26

CVE-2021-21220: Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a…

PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
70.44%
99.3th percentile
Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

12 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 90.0.4430.72-190.0.4430.72-1
chromiumchromium>= 0 < 90.0.4430.72-190.0.4430.72-1
chromiumchromium>= 0 < 90.0.4430.72-190.0.4430.72-1
chromiumchromium>= 0 < 90.0.4430.72-190.0.4430.72-1
debianchromium< chromium 90.0.4430.72-1 (bookworm)chromium 90.0.4430.72-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 89.0.4389.12889.0.4389.128
googlechrome>= unspecified < 89.0.4389.12889.0.4389.128
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

hashb81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105
domainmedia-seoengine[.]com
path%SYSTEM%\WmiPrvMon.exe
path%SYSTEM%\wmimon.dll
  • Kaspersky detection verdicts for PuzzleMaker exploit chain artifacts: PDM:Exploit.Win32.Generic, PDM:Trojan.Win32.Generic, UDS:DangerousObject.Multi.Generic
  • Monitor for creation of WmiPrvMon.exe and wmimon.dll under %SYSTEM% as indicators of the PuzzleMaker dropper payload associated with the CVE-2021-21220 exploit chain
  • The CVE-2021-21220 PoC exploit requires a Uint32Array element of value 0x80000000 XORed with 0 followed by an add-1 operation to trigger the ChangeInt32ToInt64 type confusion in V8's JIT compiler; look for this pattern in JavaScript
  • ·Many Water Labbu infrastructure links for loading additional scripts were no longer active at time of research; IOC coverage may be incomplete

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.