CVE-2020-16017
Published: 08 January 2021
Summary
CVE-2020-16017 is a critical-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2020-16017 is a use-after-free vulnerability in the site isolation feature of Google Chrome versions prior to 86.0.4240.198. The flaw, tracked under CWE-416, resides in the browser's renderer process handling and carries a CVSS 3.1 score of 9.6, reflecting its high impact across confidentiality, integrity, and availability with changed scope.
A remote attacker who has already compromised the renderer process can exploit the issue by serving a crafted HTML page, enabling a sandbox escape that grants access to resources outside the intended renderer isolation boundaries. User interaction is required for successful exploitation.
Chrome stable channel updates released on 11 November 2020 address the vulnerability by updating to version 86.0.4240.198 or later. The flaw is also catalogued by CISA among known exploited vulnerabilities in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-1456
Vulnerability details
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces process isolation boundaries that site isolation relies on to contain renderer compromises and block sandbox escapes.
Provides memory protection mechanisms that mitigate use-after-free flaws (CWE-416) in renderer handling.
Requires timely application of vendor patches that close the specific site-isolation flaw in Chrome <86.0.4240.198.