cbcvebase.
CVE-2016-9651
published 2019-01-09

CVE-2016-9651: A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary…

PriorityP262high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
11.18%
95.4th percentile
A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Affected

5 ranges
VendorProductVersion rangeFixed in
googlechrome< 55.0.2883.7555.0.2883.75
googlechrome>= unspecified < 55.0.2883.7555.0.2883.75
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://play.google.com/store/apps/details?id=com.kitkats.qrscanner
urlhttps://play.google.com/store/apps/details?id=com.google.zxing.client.android
commandintent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end
bytes
0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46
  • Exploit uses a Web Worker spawned from a Blob URL (URL.createObjectURL with application/javascript Blob) to run the exploit payload in a worker thread, repeatedly retrying on failure. Detect creation of Blob-based Worker URLs containing exploit code patterns.
  • Exploit abuses V8 private property access to achieve out-of-bounds read/write via a crafted HTML page. Look for JavaScript that manipulates TypedArray (Uint32Array, Float64Array) buffers with very large lengths (e.g., 0xfffffffc) to achieve memory corruption.
  • Exploit targets Google Chrome on Android (chrome.apk) and attempts to install a malicious APK via an Android intent URI. Monitor for Android intent:// scheme navigations from browser contexts.
  • Exploit attributed to 360 Alpha Team, originally demonstrated at Pwnfest 2016. Source code hosted at https://github.com/secmob/pwnfest2016/
  • ·Vulnerability affects Google Chrome versions prior to 55.0.2883.75 only. Systems running Chrome 55.0.2883.75 or later are not affected.
  • ·The exploit achieves code execution inside the Chrome sandbox only; a separate sandbox escape would be required for full system compromise.
  • ·The exploit uses a brute-force heap feng-shui loop with retry logic (up to 150 iterations) and may hang; a watchdog timer terminates and restarts the worker thread every 10 seconds if no progress is detected.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.