The flaw, tracked as CVE-2021-21227 and rated high severity, was reported to Google by researcher Gengming Liu from Chinese cybersecurity firm Singular Security Lab.
The researcher earned $15,000 for reporting the vulnerability, which Google described as “insufficient data validation in V8.”
Liu told SecurityWeek that the flaw can be exploited for remote code execution in the targeted user’s browser, but noted that, similar to other recently disclosed V8 vulnerabilities, it does not escape the Chrome sandbox — a sandbox escape bug is needed to exploit CVE-2021-21227 in real world attacks.
