Cyber Resilience

CVE-2019-13720

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 25 November 2019

Published
25 November 2019
Modified
24 October 2025
KEV Added
23 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8959 99.6th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-13720 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a use-after-free flaw (CWE-416) in the WebAudio component of Google Chrome versions prior to 78.0.3904.87. It can result in heap corruption when processing a specially crafted HTML page, as documented in the associated Chromium bug report.

A remote attacker can trigger the issue by causing a victim to visit a malicious web page, achieving high-impact effects on confidentiality, integrity, and availability without requiring authentication. The CVSS 8.8 vector reflects network attack reachability, low complexity, and the need for user interaction via the browser.

Advisories and patches direct users to upgrade Chrome to version 78.0.3904.87 or later, as stated in the official Stable Channel update. Downstream distributions such as openSUSE and Gentoo have issued corresponding security updates to address the same defect. A public reference also describes remote code execution potential against the affected 78.0.3904.70 build.

EU & UK References

Vulnerability details

Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
23 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 78.0.3904.87
opensuse
leap
15.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the use-after-free flaw in WebAudio.

prevent

Enforces memory-protection mechanisms that block exploitation of use-after-free conditions leading to heap corruption.

prevent

Requires process isolation (sandboxing) that limits the impact of a successful WebAudio memory corruption exploit.

References