cbcvebase.
CVE-2019-5788
published 2019-05-23

CVE-2019-5788: An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had…

PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.15%
93.5th percentile
An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.

Affected

11 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 73.0.3683.75-173.0.3683.75-1
chromiumchromium>= 0 < 73.0.3683.75-173.0.3683.75-1
chromiumchromium>= 0 < 73.0.3683.75-173.0.3683.75-1
chromiumchromium>= 0 < 73.0.3683.75-173.0.3683.75-1
debianchromium< chromium 73.0.3683.75-1 (bookworm)chromium 73.0.3683.75-1 (bookworm)
googlechrome< 73.0.3683.7573.0.3683.75
googlechrome
opensusebackports
opensuseleap
opensuseleap
opensuseleap

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46571.zip
filenameid_overflow_no_filewriter.html
command/ssd/chrome_trunk/src/out/Asan/chrome --enable-blink-features=MojoJS --user-data-dir=/tmp/aa 'http://localhost:8000/id_overflow_no_filewriter.html'
  • Monitor Chrome processes launched with the --enable-blink-features=MojoJS flag, which is required to trigger the PoC exploit from JavaScript.
  • The vulnerability is triggered via OperationID integer wrap-around in FileSystemOperationRunner::BeginOperation, leading to use-after-free; look for anomalous FileWriter API or blob registry access from a renderer process.
  • Exploitation requires a pre-compromised renderer process; chain detection should look for renderer sandbox escapes followed by FileAPI/Blink Storage activity on Linux Chrome versions prior to 73.0.3683.75.
  • ·Exploitation runtime from JavaScript is extremely long (~2 days on the researcher's machine) unless the OperationID typedef is patched to a shorter integer type for reproduction.
  • ·The exploit requires copying Mojo JS bindings from a local Chrome build before serving the PoC HTML page.
  • ·The vulnerability only affects Google Chrome on Linux prior to version 73.0.3683.75; other platforms are not listed as affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.