cbcvebase.
CVE-2019-5825
published 2019-11-25

CVE-2019-5825: Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…

PriorityP180medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
55.93%
98.9th percentile
Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

7 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 75.0.3770.80-175.0.3770.80-1
chromiumchromium>= 0 < 75.0.3770.80-175.0.3770.80-1
chromiumchromium>= 0 < 75.0.3770.80-175.0.3770.80-1
chromiumchromium>= 0 < 75.0.3770.80-175.0.3770.80-1
debianchromium< chromium 75.0.3770.80-1 (bookworm)chromium 75.0.3770.80-1 (bookworm)
googlechrome< 73.0.3683.8673.0.3683.86
googlechrome>= unspecified < 73.0.3683.8673.0.3683.86

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/exodusintel/Chromium-941743
urlhttps://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/
urlhttps://lordofpwn.kr/cve-2019-5825-v8-exploit/
command--no-sandbox
bytes
0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb
  • The exploit targets Chrome 73.0.3683.86 (64-bit) specifically; alert on User-Agent strings advertising this exact version being served exploit content.
  • Exploit delivery uses HTTP response headers 'Cache-Control: no-cache, no-store, must-revalidate', 'Pragma: no-cache', 'Expires: 0' with Content-Type text/html — look for this combination on pages serving JavaScript exploits.
  • The exploit uses WebAssembly to allocate an RWX memory region and writes shellcode into it; detect WebAssembly instantiation (WebAssembly.Instance/WebAssembly.Module) combined with typed array (BigUint64Array) manipulation in the same script context.
  • The exploit corrupts the length of a packed float array via Array.map callback to achieve out-of-bounds read/write; look for Array.map callbacks that allocate new typed arrays (BigUint64Array) and float arrays on index 0.
  • The exploit uses a known WebAssembly bytecode stub (magic bytes 0x00 0x61 0x73 0x6d) with a specific module structure; the exact byte sequence in bc[] can be used as a network or memory signature.
  • The Metasploit module exposes a /print endpoint for debug output; a URI path matching /print$ on a browser exploit server may indicate active exploitation or testing.
  • The exploit triggers page reload on failure via location.reload(); repeated rapid page reloads from a Chrome 73 UA to the same exploit URI may indicate exploitation retries.
  • The exploit reads the RWX page address at a fixed offset from the WasmInstance object (instance + 0xf8); this specific offset is version-fingerprinted to Chrome/73.0.3683.86 and can be used to distinguish targeted exploitation from generic WebAssembly use.
  • ·The exploit only works when Chrome is launched with --no-sandbox; exploitation against default sandboxed Chrome installations will fail at payload execution stage.
  • ·The exploit is architecture-specific (x86_64 only) and platform-limited to Windows and macOS; Linux and 32-bit targets are not supported by this module.
  • ·The RWX memory offset used to locate the WebAssembly code page is hardcoded for Chrome 73.0.3683.86; different Chrome versions require different offsets and the exploit will not work against patched or other versions.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.