Cyber Resilience

CVE-2020-15999

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 03 November 2020

Published
03 November 2020
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.9303 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-15999 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2020-15999 is a heap buffer overflow in the Freetype component of Google Chrome versions prior to 86.0.4240.111. It is tracked under CWEs 787 and 120 and carries a CVSS 3.1 score of 9.6 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability with changed scope.

A remote attacker can trigger the flaw by causing a victim to render a crafted HTML page, resulting in heap corruption that may be leveraged for further exploitation.

Chrome stable channel updates and downstream advisories such as the openSUSE security announcement direct users to upgrade to version 86.0.4240.111 or later. A detailed root-cause analysis is available from Google Project Zero.

EU & UK References

Vulnerability details

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 86.0.4240.111
freetype
freetype
2.6.0 — 2.10.4
debian
debian linux
10.0
fedoraproject
fedora
31
opensuse
backports sle
15.0
netapp
ontap select deploy administration utility
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (Chrome 86.0.4240.111+) that eliminates the heap buffer overflow.

prevent

Enforces memory-protection mechanisms that can block or contain heap-corruption attempts triggered by the crafted HTML page.

prevent

Mandates input validation on untrusted data (font rendering) to stop the out-of-bounds write that underlies CVE-2020-15999.

References