CVE-2021-30632

What is Google Chrome V8?

V8 is Google's open-source JavaScript and WebAssembly engine powering Google Chrome, Microsoft Edge (Chromium-based), Opera, Brave, and virtually every modern Chromium-based browser. V8 compiles JavaScript to machine code at runtime using JIT (just-in-time) compilation, manages memory through garbage collection, and implements the JavaScript language specification. As the engine executing untrusted JavaScript from every web page a user visits, V8 is a premier target for browser exploitation: memory corruption in V8 allows remote code execution within the Chrome renderer process, achieved simply by visiting a malicious web page.

Overview

CVE-2021-30632 is an out-of-bounds write vulnerability (CWE-787) in the V8 JavaScript engine, exploited as a zero-day in September 2021. An out-of-bounds write in V8's JIT-compiled code paths allows attacker-supplied JavaScript to corrupt memory beyond an allocated buffer, enabling heap corruption and ultimately arbitrary code execution in the Chrome renderer process. Google patched this in Chrome 93.0.4577.82 on September 13, 2021, acknowledging that "an exploit for CVE-2021-30632 exists in the wild." CISA added it to KEV in November 2021.

This was one of multiple Chrome zero-days exploited in 2021, a year with an unusually high number of browser zero-days used in targeted attacks.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in V8 — the JavaScript engine writes data beyond the bounds of an allocated buffer in a code path reachable by attacker-controlled JavaScript
• Memory corruption primitive: An OOB write in V8 typically enables heap layout manipulation to achieve type confusion or controlled pointer corruption — both of which can be converted into arbitrary read/write primitives within the V8 heap
• Renderer code execution: Exploiting the OOB write achieves code execution within the Chrome renderer process (the sandboxed process that executes web content). The renderer process is isolated by Chrome's sandbox from the OS
• Exploitation chain: A standalone V8 OOB write reaching renderer code execution is typically combined with a sandbox escape (a separate vulnerability) for full OS code execution. However, V8 exploitation alone allows access to browser session data, cookies, and saved passwords
• Delivery: The user navigates to a malicious page or opens a malicious HTML file (UI:R). No further interaction is required — the JavaScript executes automatically
• Affected browsers: All Chromium-based browsers that had not yet incorporated the V8 patch were affected, including Edge, Opera, and Brave in addition to Chrome

Discovery

Reported to Google by external security researchers. Google confirmed active exploitation with the September 13, 2021 patch release, though the specific threat actors and targeting were not publicly disclosed.

Exploitation Context

September 2021 saw multiple Chrome zero-days patched simultaneously or in rapid succession, suggesting a period of active research and exploitation of Chrome's V8 engine by advanced threat actors. Chrome V8 zero-days are primarily used by nation-state groups and commercial spyware operators who require reliable browser exploitation for targeted surveillance. The combination of zero-day availability and active exploitation led to CISA's November 2021 KEV addition, mandating patch compliance for federal agencies.

Remediation

1. Update Google Chrome to 93.0.4577.82 or later — any current Chrome release contains the fix
2. Enable automatic Chrome updates: Chrome menu → Help → About Google Chrome
3. Update all Chromium-based browsers (Microsoft Edge, Brave, Opera) — each has its own update schedule
4. For enterprise Chrome deployment: use Google Update or Microsoft Endpoint Manager to push Chrome updates centrally
5. Enable Chrome's site isolation feature (--site-per-process) to limit cross-site data access even if renderer code execution is achieved