CVE-2021-30551
published 2021-06-15CVE-2021-30551: Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
64.70%
99.1th percentile
Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| debian | chromium | < chromium 93.0.4577.82-1 (bookworm) | chromium 93.0.4577.82-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 91.0.4472.101 | 91.0.4472.101 | |
| chrome | >= unspecified < 91.0.4472.101 | 91.0.4472.101 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-30551 is a type confusion vulnerability in V8 (Google Chrome/Chromium) exploited in the wild; patch to Chrome 91.0.4472.101 or later to remediate ↗
- →Exploitation is delivered via a crafted HTML page (drive-by / watering hole); monitor for suspicious browser process crashes or heap corruption signals originating from V8 JIT activity ↗
- →CVE-2021-30551 was reported by Clement Lecigne of Google's Threat Analysis Group and Sergei Glazunov of Google Project Zero, indicating active in-the-wild exploitation at time of discovery (2021-06-04) ↗
- →Microsoft confirmed exploits for CVE-2021-30551 exist in the wild; Microsoft Edge (Chromium-based) version 91.0.864.48 (based on Chromium 91.0.4472.101) is the fixed version ↗
- →CVE-2021-30551 was leveraged as part of Candiru's DevilsTongue spyware deployment chain via watering hole attacks; hunt for DevilsTongue indicators on hosts running unpatched Chrome/Edge versions prior to 91.0.4472.101 ↗
- ·The CVE affects all Chromium-based browsers (Chrome, Edge, Opera, etc.), not just Google Chrome; patching must be applied across all Chromium-based browser deployments ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
2022 0-day In-the-Wild Exploitation…so far - Project Zero
project_zero·2022-06-01·CVSS 8.8
CVE-2016-5128 [HIGH] 2022 0-day In-the-Wild Exploitation…so far - Project Zero
Posted by Maddie Stone, Google Project Zero
This blog post is an overview of a talk, “ 0-day In-the-Wild Exploitation in 2022…so far”, that I gave at the FIRST conference in June 2022. The slides are available here.
For the last three years, we’ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the 2021 Year in Review report, which we published just a few months ago in April. While we plan to stick with that annual cadence, we’re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022.
As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nin
GHSA
GHSA-gmxf-qj4v-rf52: Type confusion in V8 in Google Chrome prior to 91
ghsa_unreviewed·2022-05-24
CVE-2021-30551 [HIGH] CWE-843 GHSA-gmxf-qj4v-rf52: Type confusion in V8 in Google Chrome prior to 91
Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
OSV
CVE-2021-30551: Type confusion in V8 in Google Chrome prior to 91
osv·2021-06-15·CVSS 8.8
CVE-2021-30551 [HIGH] CVE-2021-30551: Type confusion in V8 in Google Chrome prior to 91
Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
VulnCheck
Google Chromium V8 Type Confusion Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-30551 [HIGH] CWE-122 Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/; https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; https://www.cisa.gov/sites/default/files/feeds/known_exploite
Project0
Project Zero RCA: CVE-2021-30551: Chrome Type Confusion in V8
project_zero·CVSS 8.8
CVE-2021-30551 [HIGH] Project Zero RCA: CVE-2021-30551: Chrome Type Confusion in V8
# CVE-2021-30551: Chrome Type Confusion in V8
*Sergei Glazunov, Project Zero*
## The Basics
**Disclosure or Patch Date:** 9 June 2021
**Product:** Google Chrome
**Advisory:** https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html
**Affected Versions:** pre 91.0.4472.101
**First Patched Version:** 91.0.4472.101
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1216437
**Patch CL:** https://chromium.googlesource.com/v8/v8/+/f9857fdf743eeb263aec3944259ad811f564291b
**Bug-Introducing CL:** N/A
**Reporter(s):** Clement Lecigne of Google's Threat Analysis Group and Sergei Glazunov of Google Project Zero
## The Code
**Proof-of-concept:**
```js
global_object = {};
setPropertyViaEmbed = (object, value, handler) => {
const embed =
Project0
Project Zero RCA: CVE-2022-1096: Chrome Type Confusion in Property Access Interceptor
project_zero·CVSS 8.8
CVE-2022-1096 [HIGH] Project Zero RCA: CVE-2022-1096: Chrome Type Confusion in Property Access Interceptor
# CVE-2022-1096: Chrome Type Confusion in Property Access Interceptor
## The Basics
**Disclosure or Patch Date:** 25 March 2022
**Product:** Google Chromium
**Advisory:** https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
**Affected Versions:** pre 99.0.4844.84
**First Patched Version:** 99.0.4844.84
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1309225
**Patch CL:** https://chromium.googlesource.com/v8/v8/+/0981e91a4f8692af337e2588562ad1504f4bffdc
**Bug-Introducing CL:** N/A
**Reporter(s):** Anonymous
## The Code
**Proof-of-concept:**
```
style = document.createElement('p').style;
style.prop = { toString: () => {
style.prop = 1;
}};
```
**Exploit sample:** N/A
**Access to the exploit sample?** No
## The Vu
CISA
Google Chromium V8 Type Confusion Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2021-30551 [HIGH] CWE-122 Google Chromium V8 Type Confusion Vulnerability
Vulnerability: Google Chromium V8 Type Confusion Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-30551
Remediation Due Date: 2021-11-17
Chrome
Stable Channel Update for Desktop: CVE-2021-30550
vendor_chrome·2021-06-09·CVSS 8.8
CVE-2021-30550 [HIGH] Stable Channel Update for Desktop: CVE-2021-30550
Stable Channel Update for Desktop
CVE-2021-30550: Use after free in Accessibility. Reported by David Erceg on 2021-05-23 [$NA][ 1216437 ] High CVE-2021-30551: Type Confusion in V8
Reported by Clement Lecigne of Google's Threat Analysis Group and Sergei Glazunov of Google Project Zero on 2021-06-04 [$TBD][ 1200679 ] Medium CVE-2021-30552: Use after free in Extensions
Severity: high
Microsoft
Chromium: CVE-2021-30551 Type Confusion in V8
vendor_msrc·2021-06-08·CVSS 8.8
CVE-2021-30551 [HIGH] Chromium: CVE-2021-30551 Type Confusion in V8
Chromium: CVE-2021-30551 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Microsoft is aware of reports that exploits for CVE-2021-30551 exist in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of
Debian
CVE-2021-30551: chromium - Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote at...
vendor_debian·2021·CVSS 8.8
CVE-2021-30551 [HIGH] CVE-2021-30551: chromium - Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote at...
Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 93.0.4577.82-1)
bullseye: resolved (fixed in 93.0.4577.82-1)
forky: resolved (fixed in 93.0.4577.82-1)
sid: resolved (fixed in 93.0.4577.82-1)
trixie: resolved (fixed in 93.0.4577.82-1)
No detection rules found.
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Securelist
IT threat evolution in Q2 2021. PC statistics
blogs_securelist·2021-08-12
IT threat evolution in Q2 2021. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Attack on Colonial Pipeline and closure of DarkSide
Closure of Avaddon
Clash with Clop
Attacks on NAS devices
Number of new ransomware modifications
Number of users attacked by ransomware Trojans
Geography of ransomware attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries that serve as sources of web-based attacks: Top 10
Countries where users fa
Securelist
IT threat evolution in Q2 2021. PC statistics
blogs_securelist·2021-08-12
IT threat evolution in Q2 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2021:
- Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.
- Web antivirus recognized 675,832,360 unique URLs as malicious.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.
- Ransomware attacks were defeated on the computers
Crowdstrike
Patch Tuesday 2021: A Vulnerability Deep Dive
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Patch Tuesday 2021: A Vulnerability Deep Dive
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Recorded Future
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
blogs_recorded_future
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
# Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Note: The analysis cut-off date for this report was June 26, 2025
## Executive Summary
Insikt Group identified new infrastructure associated with several clusters linked to the spyware vendor Candiru. This includes both victim-facing components likely used for deploying and controlling Candiru’s DevilsTongue spyware, as well as higher-tier operator infrastructure. DevilsTongue is a sophisticated, modular Windows malware. The clusters vary in design and administration, with some directly managing victim-facing systems, while others use intermediaries or the Tor network. Eight distinct clusters were identified, with five being likely still active, including those linked to Hungary and Saudi Arabia. One cluster tied to Indones
Crowdstrike
Patch Tuesday 2021: A Vulnerability Deep Dive
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Patch Tuesday 2021: A Vulnerability Deep Dive
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Recorded Future
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
blogs_recorded_future
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
## Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Note: The analysis cut-off date for this report was June 26, 2025
## Executive Summary
Insikt Group identified new infrastructure associated with several clusters linked to the spyware vendor Candiru. This includes both victim-facing components likely used for deploying and controlling Candiru’s DevilsTongue spyware, as well as higher-tier operator infrastructure. DevilsTongue is a sophisticated, modular Windows malware. The clusters vary in design and administration, with some directly managing victim-facing systems, while others use intermediaries or the Tor network. Eight distinct clusters were identified, with five being likely still active, including those linked to Hungary and Saudi Arabia. One cluster tied to Indone
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.htmlhttps://crbug.com/1216437https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/https://security.gentoo.org/glsa/202107-06https://security.gentoo.org/glsa/202208-25https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.htmlhttps://crbug.com/1216437https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/https://security.gentoo.org/glsa/202107-06https://security.gentoo.org/glsa/202208-25https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30551
2021-06-15
Published
2021-11-03
Added to CISA KEV
Exploited in the wild