CVE-2020-16009
Published: 03 November 2020
Summary
CVE-2020-16009 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Opensuse Backports Sle. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability is an inappropriate implementation in the V8 JavaScript engine within Google Chrome versions prior to 86.0.4240.183. It is associated with CWE-787 (out-of-bounds write) and CWE-843 (type confusion) and can result in heap corruption when a victim visits a crafted HTML page. The issue received a CVSS 3.1 base score of 8.8.
A remote attacker can exploit the flaw by serving a malicious HTML page that triggers the corruption. Successful exploitation grants the attacker confidentiality, integrity, and availability impacts without requiring authentication or special privileges beyond convincing the user to visit the page.
Chrome release notes and distribution advisories direct users to upgrade to version 86.0.4240.183 or later; corresponding OpenSUSE updates were published to address the same component. Public references also include a proof-of-concept targeting V8's Turbofan JIT compiler via type confusion.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-1500
Vulnerability details
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of security-relevant patches to remediate the V8 heap-corruption flaw before exploitation.
Restricts or authorizes mobile code (JavaScript executed by V8) that is the delivery and trigger mechanism for the crafted HTML page.
Deploys malicious-code protection mechanisms that can block or alert on web content attempting to exploit the V8 type-confusion flaw.