Cyber Resilience

CVE-2020-16009

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 03 November 2020

Published
03 November 2020
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8438 99.3th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-16009 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Opensuse Backports Sle. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability is an inappropriate implementation in the V8 JavaScript engine within Google Chrome versions prior to 86.0.4240.183. It is associated with CWE-787 (out-of-bounds write) and CWE-843 (type confusion) and can result in heap corruption when a victim visits a crafted HTML page. The issue received a CVSS 3.1 base score of 8.8.

A remote attacker can exploit the flaw by serving a malicious HTML page that triggers the corruption. Successful exploitation grants the attacker confidentiality, integrity, and availability impacts without requiring authentication or special privileges beyond convincing the user to visit the page.

Chrome release notes and distribution advisories direct users to upgrade to version 86.0.4240.183 or later; corresponding OpenSUSE updates were published to address the same component. Public references also include a proof-of-concept targeting V8's Turbofan JIT compiler via type confusion.

EU & UK References

Vulnerability details

Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cefsharp
cefsharp
≤ 86.0.241
google
chrome
≤ 86.0.4240.183
microsoft
edge
≤ 86.0.622.63
microsoft
edge chromium
≤ 86.0.4240.183
opensuse
backports sle
15.0
opensuse
leap
15.1, 15.2
fedoraproject
fedora
32, 33
debian
debian linux
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches to remediate the V8 heap-corruption flaw before exploitation.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes mobile code (JavaScript executed by V8) that is the delivery and trigger mechanism for the crafted HTML page.

preventdetect

Deploys malicious-code protection mechanisms that can block or alert on web content attempting to exploit the V8 type-confusion flaw.

References