Cyber Resilience

CVE-2020-16017

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 08 January 2021

Published
08 January 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.2142 95.8th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-16017 is a critical-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2020-16017 is a use-after-free vulnerability in the site isolation feature of Google Chrome versions prior to 86.0.4240.198. The flaw, tracked under CWE-416, resides in the browser's renderer process handling and carries a CVSS 3.1 score of 9.6, reflecting its high impact across confidentiality, integrity, and availability with changed scope.

A remote attacker who has already compromised the renderer process can exploit the issue by serving a crafted HTML page, enabling a sandbox escape that grants access to resources outside the intended renderer isolation boundaries. User interaction is required for successful exploitation.

Chrome stable channel updates released on 11 November 2020 address the vulnerability by updating to version 86.0.4240.198 or later. The flaw is also catalogued by CISA among known exploited vulnerabilities in the wild.

EU & UK References

Vulnerability details

Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 86.0.4240.198

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces process isolation boundaries that site isolation relies on to contain renderer compromises and block sandbox escapes.

prevent

Provides memory protection mechanisms that mitigate use-after-free flaws (CWE-416) in renderer handling.

prevent

Requires timely application of vendor patches that close the specific site-isolation flaw in Chrome <86.0.4240.198.

References