CVE-2018-16071
published 2019-01-09CVE-2018-16071: A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
PriorityP355high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.80%
90.8th percentile
A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome | < 69.0.3497.81 | 69.0.3497.81 | |
| chrome | >= unspecified < 69.0.3497.81 | 69.0.3497.81 | |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via a crafted VP9 RTP packet where tl0_pic_idx is set to a value higher than any picture id existing in gof_info_, causing the entire gof_info_ map to be erased while a dangling pointer (info) is still used in the subsequent FrameReceivedVp9 call. Monitor for anomalous VP9 RTP streams with unexpected tl0_pic_idx values. ↗
- →The use-after-free occurs in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9 at rtp_frame_reference_finder.cc:497-499. Crash signatures or ASAN reports referencing this function and source location indicate active exploitation attempts. ↗
- →The exploit is delivered via a crafted video file processed through WebRTC VP9 decoding. Detection should focus on VP9-encoded media delivered over WebRTC (RTP) channels to Chrome versions prior to 69.0.3497.81. ↗
- ·The vulnerability affects Google Chrome versions prior to 69.0.3497.81 only; patched versions are not affected. ↗
- ·The upstream Chromium bug tracker issue is 855211; this can be used to cross-reference patch commits and affected code revisions. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h9cj-6r23-p2g8: A use after free in WebRTC in Google Chrome prior to 69
ghsa_unreviewed·2022-05-13
CVE-2018-16071 [HIGH] CWE-787 GHSA-h9cj-6r23-p2g8: A use after free in WebRTC in Google Chrome prior to 69
A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
OSV
CVE-2018-16071: A use after free in WebRTC in Google Chrome prior to 69
osv·2019-01-09·CVSS 8.8
CVE-2018-16071 [HIGH] CVE-2018-16071: A use after free in WebRTC in Google Chrome prior to 69
A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
Project0
Adventures in Video Conferencing Part 1: The Wild World of WebRTC - Project Zero
project_zero·2018-12-01
CVE-2018-16071 Adventures in Video Conferencing Part 1: The Wild World of WebRTC - Project Zero
Posted by Natalie Silvanovich, Project Zero
Over the past five years, video conferencing support in websites and applications has exploded. Facebook, WhatsApp, FaceTime and Signal are just a few of the many ways that users can make audio and video calls across networks. While a lot of research has been done into the cryptographic and privacy properties of video conferencing, there is limited information available about the attack surface of these platforms and their susceptibility to vulnerabilities. We reviewed the three most widely-used video conferencing implementations. In this series of blog posts, we describe what we found.
This part will discuss our analysis of WebRTC. Part 2 will cover our analysis of FaceTime. Part 3 will discuss how we fuzzed WhatsApp. Part 4 will describe so
Red Hat
chromium-browser: Use after free in WebRTC
vendor_redhat·2018-09-04·CVSS 8.8
CVE-2018-16071 [HIGH] chromium-browser: Use after free in WebRTC
chromium-browser: Use after free in WebRTC
A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
No detection rules found.
Bugzilla
CVE-2018-16071 chromium-browser: Use after free in WebRTC
bugzilla·2018-09-05·CVSS 8.8
CVE-2018-16071 [HIGH] CVE-2018-16071 chromium-browser: Use after free in WebRTC
CVE-2018-16071 chromium-browser: Use after free in WebRTC
An use after free flaw was found in the WebRTC component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=855211
External References:
https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-7 [bug 1625492]
Affects: fedora-all [bug 1625491]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2018:2666 https://access.redhat.com/errata/RHSA-2018:2666
Bugzilla
CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068 CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16072 CVE-2018-16073 CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077 CVE-2
bugzilla·2018-09-05·CVSS 8.8
CVE-2018-16065 [HIGH] CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068 CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16072 CVE-2018-16073 CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077 CVE-2
CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068 CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16072 CVE-2018-16073 CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077 CVE-2018-16078 ... chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the releva
Bugzilla
CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068 CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16072 CVE-2018-16073 CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077 CVE-2
bugzilla·2018-09-05·CVSS 8.8
CVE-2018-16065 [HIGH] CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068 CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16072 CVE-2018-16073 CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077 CVE-2
CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068 CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16072 CVE-2018-16073 CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077 CVE-2018-16078 ... chromium: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-l
http://www.securityfocus.com/bid/105215https://access.redhat.com/errata/RHSA-2018:2666https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/855211https://security.gentoo.org/glsa/201811-10https://www.exploit-db.com/exploits/45443/http://www.securityfocus.com/bid/105215https://access.redhat.com/errata/RHSA-2018:2666https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/855211https://security.gentoo.org/glsa/201811-10https://www.exploit-db.com/exploits/45443/
2019-01-09
Published