CVE-2021-4102

What is Chrome V8?

V8 is the JavaScript engine used in Google Chrome, Chromium, Microsoft Edge, Opera, and many other Chromium-based browsers, as well as Node.js. V8 compiles and executes JavaScript code at high speed using JIT (just-in-time) compilation. Because V8 processes untrusted JavaScript from any web page, vulnerabilities in V8 are among the most impactful browser security bugs — a V8 RCE allows a malicious web page to execute code in the renderer process, bypassing same-origin policy and potentially escaping the browser sandbox with additional vulnerabilities.

Overview

CVE-2021-4102 is a use-after-free vulnerability (CWE-416) in the Chrome V8 JavaScript engine. The vulnerability involves a heap corruption condition triggered by specially crafted HTML/JavaScript content. An attacker who convinces a user to visit a malicious web page can exploit the UAF condition to execute arbitrary code in the Chrome renderer process. Google released an emergency stable channel update (Chrome 96.0.4664.110) on December 13, 2021, noting that an exploit for CVE-2021-4102 existed in the wild. This was the 17th Chrome zero-day of 2021 — a record year for Chrome vulnerabilities. CISA added it to KEV two days after the patch.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in V8 — JavaScript engine memory management allows a heap object to be freed while a reference to it persists, enabling heap corruption via the dangling pointer
• Trigger: Processing specially crafted JavaScript/HTML in the browser triggers the UAF condition
• User interaction required: The victim must visit a malicious page or open a crafted file in the browser
• Renderer code execution: A successful exploit executes attacker code in the Chrome renderer process (sandboxed), which can then be chained with a sandbox escape vulnerability for full OS code execution
• 2021 Chrome zero-day context: 2021 saw an unprecedented number of Chrome zero-days — CVE-2021-4102 was the 17th in-the-wild exploit for Chrome that year, reflecting sustained investment by threat actors in Chrome exploitation capabilities

Discovery

Reported to Google by an anonymous researcher. Google confirmed active exploitation before the patch was released.

Exploitation Context

Chrome V8 zero-days are primarily used in targeted espionage operations by commercial spyware vendors and nation-state actors, as well as by financially motivated threat actors targeting specific individuals. The user-interaction requirement (visiting a malicious page) limits mass exploitation but doesn't prevent targeted "watering hole" attacks where victims are directed to malicious sites. The exploit was actively used in the wild at time of patch release.

Remediation

1. Update Chrome to version 96.0.4664.110 or later immediately — Chrome typically auto-updates but users should verify via Settings → About Chrome
2. Update all other Chromium-based browsers (Microsoft Edge, Opera, Brave) to their latest versions
3. Enable Chrome's auto-update feature to receive zero-day patches automatically
4. Consider enabling Chrome's Enhanced Protection mode in Safe Browsing settings for additional defense against web-based exploitation