Cyber Resilience

CVE-2019-5825

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 25 November 2019

Published
25 November 2019
Modified
24 October 2025
KEV Added
08 June 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.7825 99.0th percentile
Risk Priority 80 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-5825 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

The vulnerability is an out-of-bounds write issue in the JavaScript engine of Google Chrome versions prior to 73.0.3683.86, tracked under CWE-787. It resides in JavaScript handling and can result in heap corruption when processing specially crafted input.

A remote attacker can exploit the flaw by serving a crafted HTML page to a victim. With network attack vector, no required privileges, and only user interaction via page rendering, successful exploitation can achieve high-impact denial of service through heap corruption, though confidentiality and integrity impacts are not indicated by the CVSS vector.

Advisories in the Chrome stable channel update for desktop dated April 30, 2019, and the associated Chromium bug tracker entry indicate that updating to version 73.0.3683.86 or later resolves the issue. Public references also include a proof-of-concept demonstrating Array.map corruption in Chrome 72 and 73 builds.

EU & UK References

Vulnerability details

Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 73.0.3683.86

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (Chrome 73.0.3683.86) that eliminates the out-of-bounds write in the JavaScript engine.

prevent

Enforces configuration settings such as automatic browser updates and approved version baselines that would have prevented use of the vulnerable Chrome builds.

preventdetect

Malicious-code protection mechanisms can block or alert on crafted HTML/JS payloads that trigger the heap-corruption flaw before or during exploitation.

References