CVE-2020-6572
Published: 14 January 2021
Summary
CVE-2020-6572 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Deeper analysis
CVE-2020-6572 is a use-after-free vulnerability in the Media component of Google Chrome versions prior to 81.0.4044.92, tracked under CWE-416. The flaw resides in how the browser handles media resources during page rendering, allowing memory to be accessed after it has been freed.
A remote attacker can exploit the issue by serving a specially crafted HTML page to a victim. With user interaction required to visit the page, successful exploitation grants arbitrary code execution in the context of the browser process, carrying a CVSS 3.1 score of 8.8.
Chrome stable channel updates released on 7 April 2020 address the vulnerability by upgrading to version 81.0.4044.92 or later. The issue appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-27721
Vulnerability details
Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Chrome 81.0.4044.92 patch that eliminates the use-after-free flaw.
Enforces memory-protection mechanisms that can block exploitation of use-after-free conditions in browser media handling.
Requires process isolation (e.g., browser sandbox) that limits arbitrary code execution to the compromised renderer process.