Cyber Resilience

CVE-2020-16013

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 January 2021

Published
08 January 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2614 96.4th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-16013 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2020-16013 is an inappropriate implementation flaw in the V8 JavaScript engine within Google Chrome versions prior to 86.0.4240.198. The issue is categorized under CWE-787 and manifests as heap corruption that can be triggered by a specially crafted HTML page. It received a CVSS 3.1 base score of 8.8, reflecting network attack vector, low complexity, and no required privileges.

A remote attacker can exploit the vulnerability by persuading a user to visit a malicious web page, after which heap corruption may be achieved. Successful exploitation can result in impacts to confidentiality, integrity, and availability, consistent with the high-severity rating.

Chrome stable-channel updates released on 11 November 2020 address the flaw by updating V8 to a corrected version. The vulnerability also appears in CISA’s catalog of known exploited vulnerabilities, confirming observed in-the-wild use.

EU & UK References

Vulnerability details

Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 86.0.4240.198

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that corrects the V8 heap-corruption flaw in Chrome < 86.0.4240.198.

prevent

Mandates memory-protection safeguards that can block or contain the unauthorized code execution resulting from the heap corruption.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and security settings for mobile code (JavaScript) delivered via crafted HTML pages that trigger the V8 flaw.

References