cbcvebase.
CVE-2019-5789
published 2019-05-23

CVE-2019-5789: An integer overflow that leads to a use-after-free in WebMIDI in Google Chrome on Windows prior to 73.0.3683.75 allowed a remote attacker who had compromised…

PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.29%
93.6th percentile
An integer overflow that leads to a use-after-free in WebMIDI in Google Chrome on Windows prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.

Affected

11 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 73.0.3683.75-173.0.3683.75-1
chromiumchromium>= 0 < 73.0.3683.75-173.0.3683.75-1
chromiumchromium>= 0 < 73.0.3683.75-173.0.3683.75-1
chromiumchromium>= 0 < 73.0.3683.75-173.0.3683.75-1
debianchromium< chromium 73.0.3683.75-1 (bookworm)chromium 73.0.3683.75-1 (bookworm)
googlechrome< 73.0.3683.7573.0.3683.75
googlechrome
opensusebackports
opensuseleap
opensuseleap
opensuseleap

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46570.zip
versionGoogle Chrome < 73.0.3683.75
  • Monitor for abuse of MojoJS JavaScript bindings from renderer processes making direct Mojo calls to the MidiManagerWin component, which is the attack vector used to trigger the integer overflow use-after-free without requiring the standard WebMIDI API teardown path.
  • Look for renderer processes on Windows repeatedly creating/destroying MIDI sessions at high frequency (thousands of iterations) to overflow the `static int id` in IssueNextInstanceId within MidiManagerWin — this is the mechanism that enables the use-after-free.
  • The vulnerability is Windows-specific (MidiManagerWin); triage alerts only for Chrome renderer processes running on Windows platforms, as Linux/macOS use MidiManagerAlsa which includes an overflow check.
  • ·Exploitation requires a pre-compromised renderer process; this is not a direct one-click RCE from a cold start — a renderer compromise must already exist before this UAF can be leveraged.
  • ·Exploitation timing is highly sensitive to system state; the PoC notes shorter runtime immediately after boot and requires clock synchronisation with the system clock, meaning detection windows may vary significantly across environments.
  • ·The PoC uses a patched `static short` instead of `static int` for IssueNextInstanceId to reduce test time; in-the-wild exploitation against unpatched Chrome would require the full integer overflow cycle (~4 days from a compromised renderer).

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.