Google Chrome Zero-Day Type Confusion Vulnerability (CVE-2021-30563)

Another zero-day vulnerability of Google Chrome was in the news in mid-July 2021. The  zero-days prior to this one were as follows:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21206 – April13th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021
  • CVE-2021-30551 – June 9th, 2021
  • CVE-2021-30554 – June 17th, 2021

Google addressed the zero-day, saying that they are “aware of reports that an exploit for CVE-2021-30563 exists in the wild.” The Stable channel has been updated to 91.0.4472.164 for Windows, Mac and Linux, which will roll out over the coming days/weeks. Details regarding the fixed zero-day vulnerability is limited, except for the information that it is a Type Confusion bug in its V8 open-source and JavaScript engine, which is used in Chrome and other Chromium-based web browsers.

A remote attacker could exploit the vulnerability by luring a victim into visiting a specially crafted webpage, triggering the type confusion bug and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in the complete compromise of the vulnerable system.

Affected products

Google Chrome prior to 91.0.4472.164.


Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux. The update includes 8 security fixes, including zero-day that is being exploited in the wild and is being tracked as CVE-2021-30563.

One can perform a manual update by going to Settings > Help > About Google Chrome.

Qualys Detection

Qualys customers can scan their network with QID 375718 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

References and Sources

Leave a Reply

Your email address will not be published. Required fields are marked *