cbcvebase.
CVE-2020-15994
published 2020-11-03

CVE-2020-15994: Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

PriorityP278high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
13.07%
95.9th percentile
Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianchromium
googlechrome< 86.0.4240.9986.0.4240.99
googlechrome>= unspecified < 86.0.4240.9986.0.4240.99
googlechrome_chrome

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via a crafted HTML page delivered remotely, targeting the V8 JavaScript engine's use-after-free condition in Google Chrome prior to 86.0.4240.99
  • Severity is rated High; prioritize detection and patching on Chrome for Android deployments as this was specifically called out in the Android update advisory
  • ·Vulnerability is fixed in Chrome 86.0.4240.99 and later; any Chrome instance reporting a version prior to this is unpatched and exploitable
  • ·Debian distributions (bookworm, bullseye, forky, sid, trixie) have all resolved this CVE; scope is listed as local in the Debian tracker, which may affect risk scoring in those environments

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.