CVE-2019-5788
published 2019-05-23CVE-2019-5788: An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had…
PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.15%
93.5th percentile
An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 73.0.3683.75-1 | 73.0.3683.75-1 |
| chromium | chromium | >= 0 < 73.0.3683.75-1 | 73.0.3683.75-1 |
| chromium | chromium | >= 0 < 73.0.3683.75-1 | 73.0.3683.75-1 |
| chromium | chromium | >= 0 < 73.0.3683.75-1 | 73.0.3683.75-1 |
| debian | chromium | < chromium 73.0.3683.75-1 (bookworm) | chromium 73.0.3683.75-1 (bookworm) |
| chrome | < 73.0.3683.75 | 73.0.3683.75 | |
| chrome | — | — | |
| opensuse | backports | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command/ssd/chrome_trunk/src/out/Asan/chrome --enable-blink-features=MojoJS --user-data-dir=/tmp/aa 'http://localhost:8000/id_overflow_no_filewriter.html'↗
- →Monitor Chrome processes launched with the --enable-blink-features=MojoJS flag, which is required to trigger the PoC exploit from JavaScript. ↗
- →The vulnerability is triggered via OperationID integer wrap-around in FileSystemOperationRunner::BeginOperation, leading to use-after-free; look for anomalous FileWriter API or blob registry access from a renderer process. ↗
- →Exploitation requires a pre-compromised renderer process; chain detection should look for renderer sandbox escapes followed by FileAPI/Blink Storage activity on Linux Chrome versions prior to 73.0.3683.75. ↗
- ·Exploitation runtime from JavaScript is extremely long (~2 days on the researcher's machine) unless the OperationID typedef is patched to a shorter integer type for reproduction. ↗
- ·The exploit requires copying Mojo JS bindings from a local Chrome build before serving the PoC HTML page. ↗
- ·The vulnerability only affects Google Chrome on Linux prior to version 73.0.3683.75; other platforms are not listed as affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
chromium-browser: Use after free in FileAPI
vendor_redhat·2019-03-12·CVSS 8.8
CVE-2019-5788 [HIGH] chromium-browser: Use after free in FileAPI
chromium-browser: Use after free in FileAPI
An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.
Debian
CVE-2019-5788: chromium - An integer overflow that leads to a use-after-free in Blink Storage in Google Ch...
vendor_debian·2019·CVSS 8.8
CVE-2019-5788 [HIGH] CVE-2019-5788: chromium - An integer overflow that leads to a use-after-free in Blink Storage in Google Ch...
An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 73.0.3683.75-1)
bullseye: resolved (fixed in 73.0.3683.75-1)
forky: resolved (fixed in 73.0.3683.75-1)
sid: resolved (fixed in 73.0.3683.75-1)
trixie: resolved (fixed in 73.0.3683.75-1)
GHSA
GHSA-fcw7-99hh-qv33: An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73
ghsa_unreviewed·2022-05-24
CVE-2019-5788 [HIGH] CWE-190 GHSA-fcw7-99hh-qv33: An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73
An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.
OSV
CVE-2019-5788: An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73
osv·2019-05-23·CVSS 8.8
CVE-2019-5788 [HIGH] CVE-2019-5788: An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73
An integer overflow that leads to a use-after-free in Blink Storage in Google Chrome on Linux prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.
No detection rules found.
Bugzilla
CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-
bugzilla·2019-03-13·CVSS 8.8
CVE-2019-5787 [HIGH] CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-
CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-2019-5801 ... chromium: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-l
Bugzilla
CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-
bugzilla·2019-03-13·CVSS 8.8
CVE-2019-5787 [HIGH] CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-
CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-2019-5801 ... chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the releva
Bugzilla
CVE-2019-5788 chromium-browser: Use after free in FileAPI
bugzilla·2019-03-13·CVSS 8.8
CVE-2019-5788 [HIGH] CVE-2019-5788 chromium-browser: Use after free in FileAPI
CVE-2019-5788 chromium-browser: Use after free in FileAPI
An use after free flaw was found in the FileAPI component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=925864
External References:
https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-7 [bug 1688209]
Affects: fedora-all [bug 1688208]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2019:0708 https://access.redhat.com/errata/RHSA-2019:0708
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.htmlhttps://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.htmlhttps://crbug.com/925864http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.htmlhttps://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.htmlhttps://crbug.com/925864
2019-05-23
Published