What is the Chrome V8 JavaScript Engine?
V8 is Google's open-source JavaScript and WebAssembly engine that powers Chrome, all Chromium-based browsers, and Node.js. V8 uses Just-In-Time (JIT) compilation to execute JavaScript at near-native speed. Because V8 processes JavaScript from arbitrary untrusted web pages, vulnerabilities in V8 are directly and reliably exploitable via browser navigation — a user visiting a malicious page can trigger a V8 exploit with a single click. Type confusion (CWE-843) is one of the most commonly exploited V8 vulnerability classes because it allows JavaScript to manipulate V8's internal object type system, creating memory corruption primitives that reliably lead to code execution.
Overview
CVE-2021-30551 is a type confusion vulnerability (CWE-843) in the Chrome V8 JavaScript engine discovered and reported by Clément Lecigne of Google's Threat Analysis Group (TAG). Google patched this in Chrome 91.0.4472.101 (June 9, 2021) and confirmed exploitation in the wild. Google TAG's discovery indicates the vulnerability was being used in targeted surveillance or espionage campaigns against high-value individuals — TAG specifically tracks government-sponsored and commercial spyware operations. The vulnerability affects all Chromium-based browsers. CISA added it to the KEV catalog in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Chrome before 91.0.4472.101 | Yes | Chrome 91.0.4472.101 (June 9, 2021) |
| Microsoft Edge (Chromium) before equivalent | Yes | Edge update following Chrome 91 |
| Opera and other Chromium-based browsers | Yes | Corresponding vendor updates |
Technical Details
- Root cause: Type confusion (CWE-843) in V8 — V8's JIT compiler or object representation logic accesses a JavaScript value as the wrong internal type; attacker-controlled JavaScript manipulates V8's type assumptions to create a mismatch that bypasses type checks, enabling attacker-controlled memory accesses at arbitrary kernel offsets
- Heap corruption: V8 type confusion leads to heap corruption — by controlling the memory layout at the confused type's location, an attacker constructs read/write primitives and ultimately achieves code execution in the Chrome renderer
- Google TAG attribution: Clément Lecigne of Google TAG is credited — TAG typically discovers exploits used in targeted surveillance (nation-state spyware) or commercial exploit operations rather than criminal malware, suggesting targeted use against journalists, dissidents, or government officials
- Browser renderer execution: Code execution occurs in the Chrome renderer process (sandboxed); full OS-level compromise requires a companion sandbox escape vulnerability — the two-bug chain is typical for sophisticated browser exploit frameworks
- Cross-browser scope: V8 is shared across all Chromium-based browsers; Microsoft Edge, Opera, Brave, and Vivaldi require separate patching
Discovery
Discovered by Clément Lecigne of Google Threat Analysis Group (TAG) — which monitors nation-state and commercial spyware exploitation of zero-day vulnerabilities. TAG's discovery of CVE-2021-30551 in active exploitation indicates the vulnerability was being used in targeted operations (likely surveillance or espionage) before the June 9, 2021 patch.
Exploitation Context
Google TAG's involvement in reporting CVE-2021-30551 is significant context: TAG tracks sophisticated threat actors who pay for or develop commercial-grade zero-day exploits and deploy them against specific, high-value targets. V8 type confusion zero-days found by TAG are commonly used by: (1) commercial surveillance vendors selling browser exploits to government clients, (2) nation-state actors conducting targeted espionage, or (3) both, through shared exploit broker infrastructure. The November 2021 CISA KEV addition reflects ongoing exploitation against the large installed base of unpatched Chrome across enterprise environments after the patch was available. CISA's inclusion reinforces that even government-targeted zero-days migrate to broader exploitation after patch publication.
Remediation
- Update Chrome to 91.0.4472.101 or later — any current Chrome release contains the fix; check
chrome://settings/help - Restart Chrome if an update is pending — Chrome downloads updates in the background but requires a restart to apply them
- Update Microsoft Edge, Opera, and all other Chromium-based browsers separately — the V8 fix does not propagate automatically
- Enable automatic updates for all browsers; verify that enterprise policies do not block Chrome or Edge from updating
- For high-risk individuals (journalists, activists, government officials): consider using Chrome with Site Isolation enabled and avoid clicking links from unknown senders — TAG-tracked exploits often target specific individuals via crafted links or malicious websites
- Consider enabling Lockdown Mode on iOS or equivalent high-security browser configurations on other platforms for users at risk of targeted surveillance
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-30551 |
| Vendor / Product | Google — Chromium V8 |
| NVD Published | 2021-06-15 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-843 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-06-09 | Google releases Chrome 91.0.4472.101 patching CVE-2021-30551 — Clément Lecigne of Google TAG credited; exploitation in the wild confirmed |
| 2021-06-15 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — Chrome 91.0.4472.101 | Vendor Advisory |
| NVD — CVE-2021-30551 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |