What is the Chrome V8 JavaScript Engine?
V8 is Google's open-source JavaScript and WebAssembly engine, embedded in Chrome, Chromium-based browsers (Microsoft Edge, Opera, Brave, Vivaldi), and Node.js. V8 compiles and executes JavaScript at near-native speed using Just-In-Time (JIT) compilation. Because V8 processes untrusted JavaScript from arbitrary web pages, vulnerabilities in V8 are directly exploitable through browser navigation — a user simply visiting a malicious page can trigger a V8 exploit. Type confusion vulnerabilities in V8 are particularly dangerous because they allow JavaScript to confuse the engine's internal type system, creating memory corruption primitives that can be leveraged for arbitrary code execution in the browser renderer process.
Overview
CVE-2021-30563 is a type confusion vulnerability (CWE-843) in the Chrome V8 JavaScript engine. A remote attacker can exploit the type confusion via a crafted HTML page to potentially achieve heap corruption and arbitrary code execution in the Chrome renderer process. Google patched this in Chrome 92.0.4515.107 (July 20, 2021) and acknowledged exploitation in the wild. The vulnerability affects all Chromium-based browsers including Microsoft Edge and Opera. CISA added it to the KEV catalog in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Chrome before 92.0.4515.107 | Yes | Chrome 92.0.4515.107 (July 20, 2021) |
| Microsoft Edge (Chromium) before equivalent | Yes | Edge update following Chrome 92 |
| Opera and other Chromium-based browsers | Yes | Corresponding vendor updates |
Technical Details
- Root cause: Type confusion (CWE-843) in V8 — V8's JIT compiler or object representation accesses a JavaScript value as the wrong type; attacker-controlled JavaScript manipulates V8 internals to create a type mismatch that the engine does not detect, allowing memory reads and writes at attacker-influenced locations
- Heap corruption: Type confusion in V8 typically leads to heap corruption — by controlling the object layout at the confused type's memory location, an attacker can construct arbitrary read/write primitives and ultimately achieve code execution in the renderer
- Browser renderer execution: Successful exploitation achieves code execution in the Chrome renderer process — this is sandboxed and typically requires a separate sandbox escape to gain OS-level access; however, renderer RCE alone enables cross-origin data theft and credential exfiltration from browser memory
- Exploitation delivery: A malicious web page or iframe delivers the exploit automatically when the browser renders the JavaScript — no file download or additional user action beyond visiting the URL is required
- Cross-browser impact: All Chromium-based browsers share the V8 engine; patching Chrome alone is insufficient if Microsoft Edge, Opera, or other Chromium-based browsers are not also updated
Discovery
Reported to Google and confirmed as an in-the-wild zero-day — exploited before the July 20, 2021 Chrome 92 patch. Google's acknowledgment of exploitation in the wild at the time of the patch indicates this was a weaponized zero-day incorporated into active attack campaigns.
Exploitation Context
Chrome V8 type confusion zero-days are among the most commercially valuable browser vulnerabilities. They are frequently found in exploit kits used by both nation-state actors (for targeted surveillance) and cybercriminals (for drive-by download campaigns). CVE-2021-30563 was exploited before the patch — a pattern consistent with either a commercially-sold zero-day (e.g., purchased from a broker and deployed in limited targeted attacks) or a rapidly-weaponized vulnerability discovered independently by threat actors. The November 2021 CISA KEV addition reflects ongoing exploitation of unpatched Chrome installations after the patch became available, consistent with the large installed base of unpatched browsers in enterprise environments.
Remediation
- Update Chrome to 92.0.4515.107 or later (any current Chrome release contains the fix) — check
chrome://settings/helpfor the current version - Update Microsoft Edge, Opera, and all other Chromium-based browsers independently — Chromium updates do not automatically update other browsers
- Enable automatic updates for all browsers: Chrome and Edge auto-update by default when allowed to restart; verify auto-update is not blocked by enterprise policy
- For enterprise environments: use Chrome for Enterprise to enforce version requirements and ensure all workstations receive browser updates promptly
- Consider Chrome's Enhanced Safe Browsing for additional protection against malicious sites
- Apply browser sandboxing and site isolation: ensure Chrome Site Isolation (
chrome://flags/#site-isolation-trial-opt-out) is enabled
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-30563 |
| Vendor / Product | Google — Chromium V8 |
| NVD Published | 2021-08-03 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-843 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-07-20 | Google releases Chrome 92.0.4515.107 patching CVE-2021-30563 — acknowledges exploitation in the wild |
| 2021-08-03 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — Chrome 92.0.4515.107 | Vendor Advisory |
| NVD — CVE-2021-30563 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |