CVE-2021-21220

HIGH KEV

Google Chrome <89.0.4389.128 - Heap Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-21220 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 6 public exploits from researchers including JacobTaylor3, borahll, AmesianX, including a Metasploit module exploits/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation.

AI-analyzed exploit summary This repository contains a functional C2 framework leveraging CVE-2021-21220 (Chromium V8 exploit) to deliver a Windows implant via shellcode embedded in a webpage. The implant establishes mTLS communication with a C2 server through a redirector, providing a reverse shell.

Description

Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Exploits (6)

nomisec WORKING POC
by JacobTaylor3 · poc
https://github.com/JacobTaylor3/C2-and-Post-Exploitation-Framework

This repository contains a functional C2 framework leveraging CVE-2021-21220 (Chromium V8 exploit) to deliver a Windows implant via shellcode embedded in a webpage. The implant establishes mTLS communication with a C2 server through a redirector, providing a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Chromium-based browsers (e.g., Google Chrome, Microsoft Edge) with V8 engine
No auth needed
Prerequisites: Victim must browse to a malicious webpage hosting the exploit · C2 infrastructure must be pre-configured with certificates and tokens
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by borahll · poc
https://github.com/borahll/CVE-2021-21220

This repository contains a functional exploit PoC for CVE-2021-21220, demonstrating a JIT optimization bug in V8 leading to OOB access and RCE via WebAssembly manipulation. The code includes detailed steps for triggering the vulnerability and achieving arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome V8 Engine (specific version not specified)
No auth needed
Prerequisites: V8 engine with vulnerable JIT optimization · WebAssembly support
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by JacobTaylor3 · poc
https://github.com/JacobTaylor3/Docker-Lab-Milestone-3

This repository contains a functional exploit for CVE-2021-21220, leveraging a client-side vulnerability to execute shellcode in a victim's browser, which then downloads and executes a malicious payload. The infrastructure includes a C2 server, redirectors, and exfiltration mechanisms, demonstrating a full attack chain.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Chromium-based browsers (e.g., Google Chrome, Microsoft Edge)
No auth needed
Prerequisites: Victim must browse to a malicious webpage · Docker environment for infrastructure setup · Windows victim VM for testing
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by JacobTaylor3 · poc
https://github.com/JacobTaylor3/CVE-2021-21220

This repository contains a functional exploit for CVE-2021-21220, a Chrome V8 engine vulnerability. The exploit leverages a type confusion bug to achieve arbitrary read/write primitives, ultimately executing shellcode on the victim's machine via a malicious webpage.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome 90.0.4403.0
No auth needed
Prerequisites: Victim must visit a malicious webpage hosted by the attacker · Chrome version 90.0.4403.0 must be used
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by AmesianX · poc
https://github.com/AmesianX/CVE-2021-21220

This repository contains a functional exploit for CVE-2021-21220, a V8 engine vulnerability in Chrome. The exploit leverages a type confusion bug to achieve arbitrary read/write primitives and executes shellcode in a RWX memory page.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome (V8 engine)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Bruno Keith (bkth_), Niklas Baumstark (_niklasb), Rajvardhan Agarwal (r4j0x00), Grant Willcox (tekwizz123) · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation.rb

This Metasploit module exploits CVE-2021-21220, a V8 engine vulnerability in Google Chrome before 89.0.4389.128, using a XOR typer out-of-bounds access to achieve remote code execution. It leverages JavaScript and WebAssembly to bypass memory protections and execute arbitrary shellcode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome < 89.0.4389.128/90.0.4430.72
No auth needed
Prerequisites: Target must visit a malicious webpage · Browser must be run with --no-sandbox for full exploitation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202104-08
Exploit, Issue Tracking
https://crbug.com/1196683

Scores

CVSS v3 8.8
EPSS 0.9124
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-06-08
InTheWild.io 2021-04-07
ENISA EUVD EUVD-2021-8611
CWE
CWE-787
Status published
Products (4)
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
google/chrome < 89.0.4389.128
Published Apr 26, 2021
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026