Cyber Resilience

CVE-2020-6572

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 January 2021

Published
14 January 2021
Modified
12 January 2026
KEV Added
10 January 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1907 95.5th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-6572 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

CVE-2020-6572 is a use-after-free vulnerability in the Media component of Google Chrome versions prior to 81.0.4044.92, tracked under CWE-416. The flaw resides in how the browser handles media resources during page rendering, allowing memory to be accessed after it has been freed.

A remote attacker can exploit the issue by serving a specially crafted HTML page to a victim. With user interaction required to visit the page, successful exploitation grants arbitrary code execution in the context of the browser process, carrying a CVSS 3.1 score of 8.8.

Chrome stable channel updates released on 7 April 2020 address the vulnerability by upgrading to version 81.0.4044.92 or later. The issue appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page.

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 81.0.4044.92

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Chrome 81.0.4044.92 patch that eliminates the use-after-free flaw.

prevent

Enforces memory-protection mechanisms that can block exploitation of use-after-free conditions in browser media handling.

prevent

Requires process isolation (e.g., browser sandbox) that limits arbitrary code execution to the compromised renderer process.

References