CVE-2021-21224

What is the Chrome V8 JavaScript Engine?

V8 is Google's open-source JavaScript and WebAssembly engine embedded in Chrome, Chromium-based browsers, and Node.js. V8's JIT compiler performs complex type inference and optimization to execute JavaScript at near-native speed. Type confusion vulnerabilities in V8 occur when the JIT compiler or object representation system treats a JavaScript value as a different type than it actually is — for example, treating an attacker-controlled integer as a pointer, or a float array as an object array. These type mismatches allow attackers to construct memory read/write primitives that bypass V8's bounds checks and heap sandbox, achieving code execution in the Chrome renderer process.

Overview

CVE-2021-21224 is a type confusion vulnerability (CWE-843) in the Chrome V8 JavaScript engine — the initial exploitation stage of the PuzzleMaker waterhole campaign documented by Kaspersky Research. Google patched this in Chrome 90.0.4430.85 (April 20, 2021) as a zero-day. An attacker can exploit the V8 type confusion via a crafted HTML page to execute code inside the Chrome sandbox. CVE-2021-21224 served as the Chrome renderer code execution stage in the PuzzleMaker chain, which combined this V8 bug with Windows kernel escalation CVEs (CVE-2021-31956 NTFS and CVE-2021-33739 DWM) to achieve full OS compromise via a single drive-by website visit.

Affected Versions

Technical Details

• Root cause: Type confusion (CWE-843) in V8 — the V8 JIT compiler or runtime object representation accesses a JavaScript value as the wrong internal type; attacker-crafted JavaScript creates conditions where V8's type assumptions are violated, producing a dangling object reference or incorrect type coercion that corrupts the V8 heap
• JIT type confusion: V8 uses type feedback to specialize compiled code for expected argument types; by manipulating the type feedback (e.g., first calling a function with integers, then switching to objects), an attacker can cause the JIT to generate code that mishandles the actual type — bypassing type checks the JIT eliminated as unnecessary
• Sandbox code execution: CVE-2021-21224 achieves code execution inside the Chrome renderer sandbox — not yet OS-level code execution; the PuzzleMaker chain required additional Windows kernel CVEs to escape the sandbox
• PuzzleMaker exploit chain: Kaspersky documented the complete chain: (1) victim visits a compromised website delivering CVE-2021-21224 V8 exploit → Chrome renderer code execution; (2) CVE-2021-33739 (DWM LPE) or CVE-2021-31956 (NTFS LPE) used to escape the Chrome sandbox and escalate to SYSTEM → full OS compromise; (3) dropper installed for persistent access
• Waterhole delivery: The attack targeted specific websites frequented by the intended victim organizations; this limits exploit exposure and is characteristic of targeted espionage rather than broad criminal campaigns
• Two Chrome zero-days patched simultaneously: CVE-2021-21220 (improper input validation in V8) was patched in Chrome 90.0.4430.72 (April 14) just days before CVE-2021-21224 in 90.0.4430.85 (April 20) — reflecting rapid patching of a cluster of V8 zero-days

Discovery

Discovered by Kaspersky Research as part of their investigation of the PuzzleMaker waterhole campaign — a targeted attack chain that combined Chrome and Windows kernel zero-days. The discovery was prompted by detection of the exploit chain on victim systems, after which Kaspersky reported both the Chrome and Windows zero-days for coordinated patching.

Exploitation Context

CVE-2021-21224's role in the PuzzleMaker chain is significant: it demonstrates that a single website visit can result in complete OS compromise when a sophisticated attacker deploys a full exploit chain. The PuzzleMaker campaign specifically: (1) used a Chrome V8 zero-day for initial renderer code execution, (2) used Windows DWM and NTFS kernel zero-days to escape Chrome's sandbox and reach SYSTEM, and (3) delivered this entire chain through a waterhole attack against targeted organizations. The chain required all three zero-days to function — patching any single component would have blocked full OS compromise, emphasizing the importance of keeping browsers AND OS simultaneously patched. The November 2021 CISA KEV addition reflects ongoing exploitation of Chrome CVE-2021-21224 after the patch, targeting organizations where Chrome had not been updated.

Remediation

1. Update Chrome to 90.0.4430.85 or later — any current Chrome release includes the fix; check chrome://settings/help
2. Update Microsoft Edge, Opera, and all Chromium-based browsers independently
3. Apply June 2021 Patch Tuesday Windows updates to also patch CVE-2021-31956 and CVE-2021-33739 — all three PuzzleMaker chain components must be patched to prevent full compromise
4. Enable Chrome auto-update and verify it is not blocked by enterprise policy
5. Implement web content filtering to block access to known malicious sites and unusual/unsanctioned websites from enterprise workstations — waterhole attacks target specific community websites; URL filtering reduces the attack surface
6. Deploy EDR with browser exploit detection capabilities — the PuzzleMaker chain involves unusual process lineage (Chrome spawning kernel exploit code) that modern EDR should detect