CVE-2021-30632
published 2021-10-08CVE-2021-30632: Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP189high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
64.55%
99.1th percentile
Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| debian | chromium | < chromium 93.0.4577.82-1 (bookworm) | chromium 93.0.4577.82-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 93.0.4577.82 | 93.0.4577.82 | |
| chrome | >= unspecified < 93.0.4577.82 | 93.0.4577.82 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-30632 is exploited in the wild (CISA KEV listed); target is Google Chromium V8 engine — versions prior to 93.0.4577.82 are vulnerable to out-of-bounds write enabling heap corruption via a crafted HTML page ↗
- →The vulnerability was reported anonymously on 2021-09-08 and tracked internally as Chromium issue 1247766; this bug ID may appear in exploit PoC references or threat actor tooling ↗
- →Attack vector is remote via a crafted HTML page delivered to the browser; monitor for suspicious or anomalous HTML/JS content triggering V8 heap corruption patterns ↗
- →Multiple Chromium-based browsers are affected beyond Chrome alone; broaden detection scope to include Microsoft Edge and Opera version telemetry ↗
- ·CISA KEV remediation due date was 2021-11-17; any unpatched Chromium-based browser below version 93.0.4577.82 remains at risk ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-38c8-mw66-j237: Out of bounds write in V8 in Google Chrome prior to 93
ghsa_unreviewed·2022-05-24
CVE-2021-30632 [HIGH] CWE-787 GHSA-38c8-mw66-j237: Out of bounds write in V8 in Google Chrome prior to 93
Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
OSV
CVE-2021-30632: Out of bounds write in V8 in Google Chrome prior to 93
osv·2021-10-08·CVSS 8.8
CVE-2021-30632 [HIGH] CVE-2021-30632: Out of bounds write in V8 in Google Chrome prior to 93
Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
VulnCheck
Google Chromium V8 Out-of-Bounds Write Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-30632 [HIGH] CWE-122 Google Chromium V8 Out-of-Bounds Write Vulnerability
Google Chromium V8 Out-of-Bounds Write Vulnerability
Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2h-2023.pdf
Exploit PoC: https://vulncheck.com/xd
Project0
Project Zero RCA: CVE-2021-30632: Chrome Turbofan Type confusion in Global property access
project_zero·CVSS 8.8
CVE-2021-30632 [HIGH] Project Zero RCA: CVE-2021-30632: Chrome Turbofan Type confusion in Global property access
# CVE-2021-30632: Chrome Turbofan Type confusion in Global property access
*Man Yue Mo, GitHub Security Lab*
## The Basics
**Disclosure or Patch Date:** 13 September 2021
**Product:** Google Chrome
**Advisory:** https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
**Affected Versions:** pre 93.0.4577.82
**First Patched Version:** 93.0.4577.82
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1247763
**Patch CL:** https://source.chromium.org/chromium/_/chromium/v8/v8.git/+/6391d7a58d0c58cd5d096d22453b954b3ecc6fec
**Bug-Introducing CL:** N/A
**Reporter(s):** Anonymous
## The Code
**Proof-of-concept:**
```js
function store(y) {
x = y;
}
function load() {
return x.b;
}
var x = {a : 1};
var x1 = {a : 2};
var x2 = {a : 3};
v
CISA
Google Chromium V8 Out-of-Bounds Write Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2021-30632 [HIGH] CWE-122 Google Chromium V8 Out-of-Bounds Write Vulnerability
Vulnerability: Google Chromium V8 Out-of-Bounds Write Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-30632
Remediation Due Date: 2021-11-17
Microsoft
Chromium: CVE-2021-30632 Out of bounds write in V8
vendor_msrc·2021-09-14·CVSS 8.8
CVE-2021-30632 [HIGH] Chromium: CVE-2021-30632 Out of bounds write in V8
Chromium: CVE-2021-30632 Out of bounds write in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the ve
Chrome
Stable Channel Update for Desktop: CVE-2021-30632
vendor_chrome·2021-09-13·CVSS 8.8
CVE-2021-30632 [HIGH] Stable Channel Update for Desktop: CVE-2021-30632
Stable Channel Update for Desktop
CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08 [$TBD][ 1247766 ] High CVE-2021-30633: Use after free in Indexed DB API
Reported by Anonymous on 2021-09-08 [$10000][ 1214199 ] High CVE-2021-4319: Use after free in Blink
Severity: high
Debian
CVE-2021-30632: chromium - Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remot...
vendor_debian·2021·CVSS 8.8
CVE-2021-30632 [HIGH] CVE-2021-30632: chromium - Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remot...
Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 93.0.4577.82-1)
bullseye: resolved (fixed in 93.0.4577.82-1)
forky: resolved (fixed in 93.0.4577.82-1)
sid: resolved (fixed in 93.0.4577.82-1)
trixie: resolved (fixed in 93.0.4577.82-1)
No detection rules found.
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Number of users attacked by ransomware Trojans
- Geography of ransomware attacks
- Top 10 most common families of ransomware Trojans
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution Q3 2021
- IT threat evolution in Q3 2021. PC statistics
- IT threat evolution in Q3 2021. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2021:
- Kaspersky solutions blocked 1,098,968,315 attacks from online reso
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Checkpoint
20th September – Threat Intelligence Report
blogs_checkpoint·2021-09-19·CVSS 7.8
CVE-2021-40444 [HIGH] 20th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th September, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has seen a global surge in the black market for fake COVID-19 vaccine certificates on Telegram, following US President Biden’s vaccine mandate announcements. The black market has expanded to serve 28 countries, including Austria, UAE, Brazil, UK, Singapore and more. The price for fake vaccine cert
Qualys
Microsoft and Adobe Patch Tuesday (September 2021) – Microsoft 60 Vulnerabilities with 3 Critical, Adobe 61 Vulnerabilities
blogs_qualys·2021-09-14·CVSS 8.1
CVE-2021-40444 [HIGH] Microsoft and Adobe Patch Tuesday (September 2021) – Microsoft 60 Vulnerabilities with 3 Critical, Adobe 61 Vulnerabilities
## Microsoft Patch Tuesday – September 2021
Microsoft patched 60 vulnerabilities in their September 2021 Patch Tuesday release, and an additional 26 CVEs since September 1st. Among the 60 released in the September Patch Tuesday, 3 of them are rated as critical severity, one as moderate, and 56 as important.
## Critical Microsoft Vulnerabilities Patched
CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability
This vulnerability has been publicly disclosed and is known to be exploited. The vulnerability allows for remote code execution via MSHTML, a component used by Internet Explorer and Office. Microsoft also released a workaround to show how users can disable ActiveX controls in IE. The vendor has assigned a CVSSv3 base score of 8.8. It should be prioritized for patching.
Crowdstrike
September 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] September 2021 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
arXiv
A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities
arxiv_fulltext·2024-06-09
A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities
## Abstract
The relentless process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the point of failure in an otherwise formidable defense. Given that few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendat
http://packetstormsecurity.com/files/172845/Chrome-JIT-Compiler-Type-Confusion.htmlhttps://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/1247763https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/http://packetstormsecurity.com/files/172845/Chrome-JIT-Compiler-Type-Confusion.htmlhttps://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/1247763https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30632
2021-10-08
Published
2021-11-03
Added to CISA KEV
Exploited in the wild