CVE-2020-15994
published 2020-11-03CVE-2020-15994: Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP278high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
13.07%
95.9th percentile
Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | chromium | — | — |
| chrome | < 86.0.4240.99 | 86.0.4240.99 | |
| chrome | >= unspecified < 86.0.4240.99 | 86.0.4240.99 | |
| chrome_chrome | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via a crafted HTML page delivered remotely, targeting the V8 JavaScript engine's use-after-free condition in Google Chrome prior to 86.0.4240.99 ↗
- →Severity is rated High; prioritize detection and patching on Chrome for Android deployments as this was specifically called out in the Android update advisory ↗
- ·Vulnerability is fixed in Chrome 86.0.4240.99 and later; any Chrome instance reporting a version prior to this is unpatched and exploitable ↗
- ·Debian distributions (bookworm, bullseye, forky, sid, trixie) have all resolved this CVE; scope is listed as local in the Debian tracker, which may affect risk scoring in those environments ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Chrome for Android Update: CVE-2020-15993
vendor_chrome·2020-10-13·CVSS 7.5
CVE-2020-15993 [HIGH] Chrome for Android Update: CVE-2020-15993
Chrome for Android Update
CVE-2020-15993: Use after free in printing. Reported by Khalil Zhani on 2020-10-01 [$500][ 1117367 ] High CVE-2020-13871, CVE-2020-15358: Use after free in SQLite
Reported by Richard Lorenz, SAP on 2020-08-18 [$N/A][ 1117258 ] High CVE-2020-15994: Use after free in V8
Severity: high
Debian
CVE-2020-15994: chromium - Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote att...
vendor_debian·2020·CVSS 8.8
CVE-2020-15994 [HIGH] CVE-2020-15994: chromium - Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote att...
Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-9pg9-hg9f-fw5m: Use after free in V8 in Google Chrome prior to 86
ghsa_unreviewed·2022-05-24
CVE-2020-15994 [HIGH] CWE-416 GHSA-9pg9-hg9f-fw5m: Use after free in V8 in Google Chrome prior to 86
Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
VulnCheck
Google Chrome Use After Free
vulncheck·2020·CVSS 8.8
CVE-2020-15994 [HIGH] Google Chrome Use After Free
Google Chrome Use After Free
Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected: Google Chrome
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2h-2023.pdf
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-11-03
Published
Exploited in the wild