Cyber Resilience

CVE-2020-6418

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 27 February 2020

Published
27 February 2020
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8637 99.4th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-6418 is a high-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability CVE-2020-6418 is a type confusion flaw (CWE-843) in the V8 JavaScript engine of Google Chrome versions prior to 80.0.3987.122. It can result in heap corruption when the engine processes certain inputs, carrying a CVSS 3.1 base score of 8.8.

A remote attacker can trigger the issue by serving a crafted HTML page to a victim, enabling exploitation of the resulting memory corruption to potentially compromise confidentiality, integrity, and availability without requiring authentication.

Advisories and patches direct users to upgrade Chrome to 80.0.3987.122 or newer; Red Hat and Fedora have issued corresponding errata (RHSA-2020:0738 and Fedora package updates) that address the affected browser packages.

Public references include a detailed Chromium bug report and a proof-of-concept demonstrating side-effect handling during JSCreate operations that leads to the type confusion.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 80.0.3987.122
fedoraproject
fedora
30, 31
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0
debian
debian linux
10.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (Chrome 80.0.3987.122) that eliminates the V8 type-confusion flaw.

SC-18 Mobile Code partial match
prevent

Controls execution of mobile code (JavaScript) that a remote attacker uses to trigger the crafted HTML page and exploit the engine bug.

preventdetect

Verifies integrity of browser software and updates, ensuring the vulnerable V8 binary is replaced and not subsequently altered.

References