CVE-2020-16013
Published: 08 January 2021
Summary
CVE-2020-16013 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
CVE-2020-16013 is an inappropriate implementation flaw in the V8 JavaScript engine within Google Chrome versions prior to 86.0.4240.198. The issue is categorized under CWE-787 and manifests as heap corruption that can be triggered by a specially crafted HTML page. It received a CVSS 3.1 base score of 8.8, reflecting network attack vector, low complexity, and no required privileges.
A remote attacker can exploit the vulnerability by persuading a user to visit a malicious web page, after which heap corruption may be achieved. Successful exploitation can result in impacts to confidentiality, integrity, and availability, consistent with the high-severity rating.
Chrome stable-channel updates released on 11 November 2020 address the flaw by updating V8 to a corrected version. The vulnerability also appears in CISA’s catalog of known exploited vulnerabilities, confirming observed in-the-wild use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-1474
Vulnerability details
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that corrects the V8 heap-corruption flaw in Chrome < 86.0.4240.198.
Mandates memory-protection safeguards that can block or contain the unauthorized code execution resulting from the heap corruption.
Establishes usage restrictions and security settings for mobile code (JavaScript) delivered via crafted HTML pages that trigger the V8 flaw.