CVE-2019-5825
Published: 25 November 2019
Summary
CVE-2019-5825 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
The vulnerability is an out-of-bounds write issue in the JavaScript engine of Google Chrome versions prior to 73.0.3683.86, tracked under CWE-787. It resides in JavaScript handling and can result in heap corruption when processing specially crafted input.
A remote attacker can exploit the flaw by serving a crafted HTML page to a victim. With network attack vector, no required privileges, and only user interaction via page rendering, successful exploitation can achieve high-impact denial of service through heap corruption, though confidentiality and integrity impacts are not indicated by the CVSS vector.
Advisories in the Chrome stable channel update for desktop dated April 30, 2019, and the associated Chromium bug tracker entry indicate that updating to version 73.0.3683.86 or later resolves the issue. Public references also include a proof-of-concept demonstrating Array.map corruption in Chrome 72 and 73 builds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-15396
Vulnerability details
Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (Chrome 73.0.3683.86) that eliminates the out-of-bounds write in the JavaScript engine.
Enforces configuration settings such as automatic browser updates and approved version baselines that would have prevented use of the vulnerable Chrome builds.
Malicious-code protection mechanisms can block or alert on crafted HTML/JS payloads that trigger the heap-corruption flaw before or during exploitation.