Type Confusion in Google Chrome V8
CVE-2021-30551 is a type confusion vulnerability in the V8 JavaScript engine in Google Chrome prior to 91.0.4472.101. According to the provided content, a remote attacker could trigger heap corruption by luring a target to a crafted HTML page. The flaw affects Chrome’s V8 engine and results from incorrect type handling that can place objects into an invalid state during JavaScript execution, leading to memory corruption. The supporting content also notes that Google TAG reported this vulnerability was exploited by Candiru in 2021 via single-use links sent to targets believed to be in Armenia.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a proof-of-concept exploit for CVE-2021-30551, a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome. The repository consists of a README.md with usage instructions and a single exploit file, exp.html. The exploit is implemented in JavaScript and HTML, leveraging advanced techniques such as WebAssembly, out-of-bounds array manipulation, and arbitrary read/write primitives to achieve code execution. The payload is x64 shellcode that spawns a shell, demonstrating arbitrary code execution in the browser process. The exploit is intended to be served via a local web server and accessed by a vulnerable version of Chrome. The code is operational and demonstrates the full exploitation chain, but is not weaponized for mass exploitation. No external network endpoints are hardcoded in the exploit itself, but the README provides example URLs for local testing and version checking.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Google Chrome renderer remote code execution (RCE) zero-day exploited in targeted attacks attributed to Candiru.
A Chrome browser remote code execution exploit referenced as being used by Candiru for drive-by compromise via a crafted URL.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.