CVE-2019-5786
Published: 27 June 2019
Summary
CVE-2019-5786 is a medium-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
The vulnerability is an object lifetime issue, specifically a use-after-free condition tracked as CWE-416, that affects the Blink rendering engine in Google Chrome versions prior to 72.0.3626.121. It can be triggered by a crafted HTML page and results in the potential for out-of-bounds memory access.
A remote attacker can exploit the flaw by serving a malicious web page that a user visits, requiring no authentication or other privileges. Successful exploitation yields high impact on availability, with the CVSS vector indicating the attack can be launched over the network with low complexity and user interaction.
Chrome stable channel updates released in March 2019 address the issue by advancing the browser to version 72.0.3626.121 or later. The vulnerability is also catalogued by CISA among actively exploited flaws in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-0957
Vulnerability details
Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 23 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the Chrome 72.0.3626.121 patch that eliminates the use-after-free flaw.
Enforces malicious-code inspection or blocking of the crafted HTML/JS payload used to trigger the Blink vulnerability.
Implements memory-protection mechanisms that can mitigate exploitation of the use-after-free condition in the renderer process.