What is Google Chrome V8?
V8 is Google's open-source JavaScript and WebAssembly engine powering Google Chrome, Microsoft Edge (Chromium-based), Opera, Brave, and virtually every modern Chromium-based browser. V8 compiles JavaScript to machine code at runtime using JIT (just-in-time) compilation, manages memory through garbage collection, and implements the JavaScript language specification. As the engine executing untrusted JavaScript from every web page a user visits, V8 is a premier target for browser exploitation: memory corruption in V8 allows remote code execution within the Chrome renderer process, achieved simply by visiting a malicious web page.
Overview
CVE-2021-37975 is a use-after-free vulnerability (CWE-416) in the V8 JavaScript engine, exploited as a zero-day in October 2021. The vulnerability was patched alongside CVE-2021-37976 (a sandbox information leak) in the Chrome 94.0.4606.61 emergency release on October 7, 2021. Google confirmed that "exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild" — and that they were being used together as a two-bug chain. CVE-2021-37975 provides V8 renderer code execution; CVE-2021-37976 provides the sandbox escape needed for full OS compromise. CISA added CVE-2021-37975 to KEV in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome before 94.0.4606.61 | Yes | 94.0.4606.61 |
| Microsoft Edge (Chromium-based) | Yes | Corresponding Chromium update |
| Other Chromium-based browsers | Yes | Varies by browser update cadence |
Technical Details
- Root cause: Use-after-free (CWE-416) in V8 — a JavaScript engine object is freed while a reference to it remains accessible. Attacker-supplied JavaScript can arrange for controlled data to occupy the freed memory, corrupting V8's type system and enabling arbitrary read/write within the V8 heap
- UAF exploitation: A V8 use-after-free typically enables type confusion — by controlling what occupies the freed slot, the attacker can confuse V8's object types, gaining the ability to read and write arbitrary V8 heap addresses. This is converted into a full memory read/write primitive and then renderer code execution
- Two-bug chain: CVE-2021-37975 (V8 UAF for renderer code execution) + CVE-2021-37976 (sandbox information leak for sandbox escape) together provided a complete Chrome exploit chain — from a malicious web page to OS-level code execution
- Delivery: Visiting a malicious web page (UI:R) triggers the exploit. The user must navigate to the attacker-controlled page; no further interaction is required
- Renderer isolation: V8 code execution reaches the Chrome renderer (sandboxed), which was bypassed using the companion CVE-2021-37976 for full OS access
- Browser scope: All Chromium-based browsers with V8 versions before the October 7, 2021 patch were affected
Discovery
Google acknowledged active exploitation of both CVE-2021-37975 and CVE-2021-37976 when releasing the October 7, 2021 patch. The two-bug chain indicates sophisticated threat actor tooling — combining a V8 memory corruption bug with a sandbox escape requires significant exploit development capability, characteristic of nation-state actors or well-resourced commercial spyware operators.
Exploitation Context
The CVE-2021-37975 + CVE-2021-37976 chain represents a complete one-click browser exploit: a user visiting a single malicious page achieves full OS code execution. This class of exploit is used by commercial mobile/desktop spyware vendors (e.g., NSO Group, Candiru) and nation-state groups for targeted surveillance. The October 2021 emergency patch was the third Chrome zero-day patch in September/October 2021, reflecting a period of intense exploitation of Chrome's attack surface. CISA's November 3, 2021 KEV addition (alongside CVE-2021-30632, another Chrome zero-day) reflects the high volume of confirmed Chrome browser exploitation during this period.
Remediation
- Update Google Chrome to 94.0.4606.61 or later — any current Chrome release includes the fix
- Enable automatic Chrome updates: Chrome menu → Help → About Google Chrome
- Update Microsoft Edge, Brave, Opera, and all other Chromium-based browsers to versions incorporating the October 7, 2021 Chromium patch
- For enterprise environments: deploy Chrome/Edge updates via Google Update, Microsoft Endpoint Manager, or equivalent fleet management tooling
- Note: CVE-2021-37976 (sandbox escape, patched in the same Chrome release) must also be applied — patching only CVE-2021-37975 leaves the sandbox escape available for use with other V8 exploits
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-37975 |
| Vendor / Product | Google — Chromium V8 |
| NVD Published | 2021-10-08 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-10-07 | Google releases Chrome 94.0.4606.61, patching CVE-2021-37975 and CVE-2021-37976 as zero-days exploited together in the wild |
| 2021-10-08 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — October 7, 2021 (94.0.4606.61) | Vendor Advisory |
| NVD — CVE-2021-37975 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |