CVE-2020-16009

Warning

Exploit

EPSS 78.73%
Published 03.11.2020 03:15:15
Last modified 30.07.2025 19:00:37
Source chrome-cve-admin@google.com
Teams watchlist Login
Open Login

Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected products Warnungen 1 Metrics 4 CWE 2 References 12

Data is provided by the National Vulnerability Database (NVD)

Cefsharp ≫ Cefsharp Version < 86.0.241

Google ≫ Chrome Version < 86.0.4240.183

Microsoft ≫ Edge Version < 86.0.622.63

Microsoft ≫ Edge Chromium Version < 86.0.4240.183

Opensuse ≫ Backports Sle Version15.0 Updatesp1

Opensuse ≫ Backports Sle Version15.0 Updatesp2

Opensuse ≫ Leap Version15.1

Opensuse ≫ Leap Version15.2

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

Debian ≫ Debian Linux Version10.0

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Google Chromium V8 Type Confusion Vulnerability

Vulnerability

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	78.73%	0.99

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S4XYJ7B6OXHZNYSA5J3DBUOFEC6WCAGW/

Release Notes

https://www.debian.org/security/2021/dsa-4824

Third Party Advisory

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00016.html

Third Party Advisory

Broken Link

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SC3U3H6AISVZB5PLZLLNF4HMQ4UFFL7M/

Release Notes

https://security.gentoo.org/glsa/202011-12