What is the Chrome V8 JavaScript Engine?
V8 is Google's open-source JavaScript and WebAssembly engine powering Chrome and all Chromium-based browsers. V8's JIT (Just-In-Time) compiler transforms JavaScript code into optimized native machine code at runtime. The JIT compiler contains complex type inference and optimization passes that make assumptions about JavaScript value types — improper validation of these assumptions, or failure to validate bounds on array indices and typed array operations, can result in out-of-bounds heap writes. Because V8 JIT runs untrusted JavaScript from every web page, a single bounds check failure in a critical code path can be reliably triggered by attacker-crafted JavaScript.
Overview
CVE-2021-21220 is an improper input validation vulnerability (CWE-787) in the Chrome V8 JavaScript engine that allows heap corruption via crafted HTML. Google patched this in Chrome 90.0.4430.72 (April 14, 2021) as a zero-day. The vulnerability is part of the April 2021 Chrome zero-day cluster that also includes CVE-2021-21206 (Blink UAF) and CVE-2021-21224 (V8 type confusion) — multiple simultaneous Chrome zero-days patched within days of each other, suggesting a coordinated exploitation campaign. CISA added it to the KEV catalog in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Chrome before 90.0.4430.72 | Yes | Chrome 90.0.4430.72 (April 14, 2021) |
| Microsoft Edge (Chromium) before equivalent | Yes | Edge update following Chrome 90 |
| Opera and other Chromium-based browsers | Yes | Corresponding vendor updates |
Technical Details
- Root cause: Improper input validation (CWE-787) in V8's JIT compiler or typed array handling — V8 fails to adequately validate bounds or type constraints on JavaScript input before performing memory operations; an attacker crafts JavaScript that exploits this missing validation to write beyond an allocated V8 heap buffer
- Heap corruption: The out-of-bounds write corrupts adjacent V8 heap memory — by carefully crafting JavaScript to control the heap layout, an attacker can overwrite V8 object headers or metadata to achieve type confusion, leading to arbitrary read/write primitives and ultimately renderer code execution
- JIT-targeted exploitation: Modern V8 exploits often target the JIT compiler's type specialization: by first "warming up" a function to cause JIT compilation, then providing unexpected types, the attacker triggers code paths that the JIT compiler assumed would never be reached — bypassing bounds checks that the JIT eliminated as "unnecessary optimizations"
- Zero-day cluster context: CVE-2021-21220 and CVE-2021-21224 are both V8 zero-days patched in the same April 2021 Chrome release; the simultaneous availability of multiple V8 exploits suggests either a sophisticated exploit chain using both, or parallel independent discovery by the same threat actor
- Renderer sandboxed execution: Code execution achieved via CVE-2021-21220 runs in the Chrome renderer sandbox; a second bug (sandbox escape, kernel LPE) is required for full OS compromise
Discovery
Reported to Google as a zero-day actively exploited in the wild before the April 14, 2021 Chrome 90 patch. The contemporaneous patching of multiple V8 zero-days (21220 and 21224) alongside the Blink UAF (21206) suggests a single coordinated disclosure or a threat actor simultaneously exploiting multiple Chrome zero-days in an advanced exploit chain.
Exploitation Context
The April 2021 Chrome zero-day cluster represents a concentrated period of high-value browser exploitation. Commercial spyware vendors and nation-state actors who deploy zero-day exploit chains often bundle multiple bugs: a renderer RCE (from Blink UAF or V8 memory corruption), a V8 sandbox escape or type confusion for broader access, and potentially a kernel LPE for complete OS control. Having multiple V8 bugs provides fallback options if one bug is detected or fails. The November 2021 CISA KEV addition for the complete April 2021 cluster reflects ongoing exploitation against unpatched browser installations.
Remediation
- Update Chrome to 90.0.4430.72 or later — any current Chrome version contains the fix; verify at
chrome://settings/help - Update Microsoft Edge, Opera, and all Chromium-based browsers independently — each browser must be updated separately
- Enable automatic Chrome updates and confirm that no enterprise policies block Chrome from updating
- Apply all subsequent Chrome security updates — V8 is actively patched; apply updates as they become available
- Enable Site Isolation in Chrome to limit the impact of renderer compromise to the attacked origin
- Consider Chrome's Enhanced Protection mode (Settings → Privacy and security → Security → Enhanced protection) for additional anti-phishing and malicious site detection
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-21220 |
| Vendor / Product | Google — Chromium V8 |
| NVD Published | 2021-04-26 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-04-14 | Google releases Chrome 90.0.4430.72 patching CVE-2021-21220 — zero-day exploited in the wild |
| 2021-04-26 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — Chrome 90.0.4430.72 | Vendor Advisory |
| NVD — CVE-2021-21220 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |