CVE-2021-21148

What is Chrome's V8 JavaScript Engine?

V8 is the high-performance JavaScript and WebAssembly engine at the core of Google Chrome, Microsoft Edge, Node.js, and Chromium-based browsers. V8 compiles JavaScript to native machine code using just-in-time (JIT) compilation, executing complex attacker-controlled scripts with near-native performance. V8's heap (where JavaScript objects are allocated) is one of the most intensively studied attack surfaces in browser security — heap buffer overflows in V8 occur when JIT-compiled operations or built-in JavaScript functions write beyond allocated heap buffer boundaries. Because V8 executes on every web page visit, a V8 heap overflow is directly triggerable by a malicious website without any user action beyond visiting the page.

Overview

CVE-2021-21148 is a heap buffer overflow vulnerability (CWE-787) in Chrome's V8 JavaScript engine that allows a remote attacker to exploit heap corruption via a crafted HTML page. Google patched this in Chrome 88.0.4324.150 (February 4, 2021), confirming an exploit existed in the wild. This was the first Chrome zero-day of 2021 — the beginning of a Q1 2021 period that would see two more Chrome zero-days within six weeks (CVE-2021-21166 on March 2 and CVE-2021-21193 on March 12), indicating intense zero-day exploitation activity against Chrome's JavaScript engine. Credited to Mattias Buelens. CISA added it to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Heap buffer overflow (CWE-787) in V8 — a V8 built-in function, JIT-compiled operation, or JavaScript engine component writes beyond the end of a heap-allocated buffer when processing attacker-controlled JavaScript; this corrupts adjacent heap memory, providing a heap corruption primitive
• V8 heap exploitation: By controlling the Chrome heap layout through JavaScript (allocating and freeing objects to position controlled data adjacent to the overflow target), the attacker achieves type confusion — the corrupted object is interpreted as a different type with attacker-controlled internal fields, enabling arbitrary memory read/write
• Renderer code execution: Code execution occurs in Chrome's renderer process, which is sandboxed; OS-level compromise requires a separate sandbox escape vulnerability; however renderer RCE enables significant data access from within the browser context and serves as the first stage of full exploitation chains
• Q1 2021 Chrome zero-day cluster: CVE-2021-21148 (February 4) + CVE-2021-21166 (March 2) + CVE-2021-21193 (March 12) — three Chrome zero-days in six weeks; the clustering suggests multiple sophisticated actors simultaneously holding and deploying Chrome renderer exploits in targeted operations
• No authentication, low complexity: AV:N/AC:L/PR:N/UI:R — any website can trigger the heap overflow in visiting users' Chrome browsers; the only barrier is getting the target to visit the malicious page

Discovery

Reported to Google by Mattias Buelens as an in-the-wild zero-day. Google's February 4, 2021 Chrome 88.0.4324.150 release notes confirmed "exploit exists in the wild." CISA added it to the KEV catalog in November 2021 alongside the two other Q1 2021 Chrome zero-days.

Exploitation Context

The first Chrome zero-day of 2021 established the pattern that would continue throughout Q1: sophisticated actors exploiting Chrome's V8 engine through heap buffer overflows and type confusion for targeted attacks. Chrome zero-days at this severity level are primarily used in: (1) targeted surveillance against high-value individuals (dissidents, journalists, activists), (2) espionage operations against government or defense sector targets, and (3) criminal exploit kit delivery. The November 2021 CISA KEV addition — covering all three Q1 2021 Chrome zero-days simultaneously — reflects both their historical exploitation and continued exploitation against organizations running unpatched Chrome. Most enterprise Chrome deployments receive automatic updates, but managed environments with deferred updates or frozen versions remained vulnerable.

Remediation

1. Update Chrome to 88.0.4324.150 or later — any current Chrome release contains the fix; verify at chrome://settings/help
2. Update all Chromium-based browsers (Microsoft Edge, Brave, Opera) separately — Chrome updates do not propagate to other browsers
3. Enable automatic Chrome updates and verify enterprise policies do not block update delivery (chrome://policy/ to check)
4. Apply all three Q1 2021 Chrome zero-day patches: CVE-2021-21148 (88.0.4324.150), CVE-2021-21166 (89.0.4389.72), and CVE-2021-21193 (89.0.4389.90)
5. Enable Chrome sandboxing — do not run Chrome with --no-sandbox flag, which would eliminate the process isolation that limits V8 heap overflow impact to the renderer
6. For high-risk users: consider Chrome's Enhanced Safe Browsing mode and enable Site Isolation (chrome://flags/#site-isolation-trial-opt-out) to limit cross-origin data access