cbcvebase.
CVE-2019-5786
published 2019-06-27

CVE-2019-5786: Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a…

PriorityP181medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
61.54%
99.1th percentile
Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

Affected

7 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 72.0.3626.121-172.0.3626.121-1
chromiumchromium>= 0 < 72.0.3626.121-172.0.3626.121-1
chromiumchromium>= 0 < 72.0.3626.121-172.0.3626.121-1
chromiumchromium>= 0 < 72.0.3626.121-172.0.3626.121-1
debianchromium< chromium 72.0.3626.121-1 (bookworm)chromium 72.0.3626.121-1 (bookworm)
googlechrome< 72.0.3626.12172.0.3626.121
googlechrome>= unspecified < 72.0.3626.12172.0.3626.121

Detection & IOCsextracted from sources · hover to see the quote

versionChrome 72.0.3626.119
path/exploit.html
path/worker.js
bytes
0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0
  • CVE-2019-5786 is exploited via a crafted HTML page delivered through the browser; the Metasploit module serves /exploit.html and /worker.js from a malicious HTTP server — monitor for browser requests to these paths on non-standard web servers.
  • The exploit uses FileReader.readAsArrayBuffer to trigger a use-after-free on a 128 MB string blob ('Z' * 128MB); large ArrayBuffer allocations combined with repeated FileReader calls in a short window are a behavioural indicator.
  • The exploit spawns a Web Worker (worker.js) alongside the main exploit page; a parent iframe loading exploit.html combined with a worker.js request from the same origin is a strong exploit-chain indicator.
  • Shellcode is written into a WebAssembly RWX page; detect creation of WebAssembly.Module/Instance objects immediately followed by arbitrary memory writes in Chrome renderer processes on Windows 7 x86.
  • The Metasploit module defaults to windows/meterpreter/reverse_tcp payload; post-exploitation network connections from chrome.exe (or its child processes) to external IPs on arbitrary high ports should be treated as suspicious.
  • The exploit requires the Chrome sandbox to be disabled (--no-sandbox) for the payload to execute; monitor Chrome process launch arguments for --no-sandbox on end-user machines.
  • The exploit uses two heap-spray marker constants (0x36313233 and 0x37414546) to locate controlled memory; these 4-byte little-endian values appearing in Chrome heap dumps or memory forensics are a strong indicator of this exploit.
  • ·The Metasploit exploit module targets only Chrome 72.0.3626.119 on Windows 7 x86; the vulnerability (CVE-2019-5786) affects all Chrome versions prior to 72.0.3626.121, but this specific exploit code will not work against other OS/arch combinations without modification.
  • ·Sandbox must be explicitly disabled for the payload to execute; in-the-wild exploitation likely paired this with a separate sandbox-escape or privilege-escalation (CVE-2019-0808) rather than relying on --no-sandbox.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
ghsa6.5MEDIUM
osv6.5MEDIUM
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.