Cyber Resilience

CVE-2019-5786

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 27 June 2019

Published
27 June 2019
Modified
24 October 2025
KEV Added
23 May 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.8994 99.6th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-5786 is a medium-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability is an object lifetime issue, specifically a use-after-free condition tracked as CWE-416, that affects the Blink rendering engine in Google Chrome versions prior to 72.0.3626.121. It can be triggered by a crafted HTML page and results in the potential for out-of-bounds memory access.

A remote attacker can exploit the flaw by serving a malicious web page that a user visits, requiring no authentication or other privileges. Successful exploitation yields high impact on availability, with the CVSS vector indicating the attack can be launched over the network with low complexity and user interaction.

Chrome stable channel updates released in March 2019 address the issue by advancing the browser to version 72.0.3626.121 or later. The vulnerability is also catalogued by CISA among actively exploited flaws in the wild.

EU & UK References

Vulnerability details

Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

CWE(s)
KEV Date Added
23 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 72.0.3626.121

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Chrome 72.0.3626.121 patch that eliminates the use-after-free flaw.

prevent

Enforces malicious-code inspection or blocking of the crafted HTML/JS payload used to trigger the Blink vulnerability.

prevent

Implements memory-protection mechanisms that can mitigate exploitation of the use-after-free condition in the renderer process.

References