cbcvebase.
CVE-2020-16013
published 2021-01-08

CVE-2020-16013: Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…

PriorityP181high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
2.83%
84.8th percentile
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

8 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 87.0.4280.88-0.187.0.4280.88-0.1
chromiumchromium>= 0 < 87.0.4280.88-0.187.0.4280.88-0.1
chromiumchromium>= 0 < 87.0.4280.88-0.187.0.4280.88-0.1
chromiumchromium>= 0 < 87.0.4280.88-0.187.0.4280.88-0.1
debianchromium< chromium 87.0.4280.88-0.1 (bookworm)chromium 87.0.4280.88-0.1 (bookworm)
googlechrome< 86.0.4240.19886.0.4240.198
googlechrome>= unspecified < 86.0.4240.19886.0.4240.198
googlechrome_chrome

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2020-16013 is an in-the-wild exploited vulnerability (confirmed by Google); detection should prioritize Chrome versions prior to 86.0.4240.198 making outbound connections or rendering crafted HTML pages
  • The vulnerability is an inappropriate implementation in the V8 JavaScript engine (CWE-787 Out-of-bounds Write); monitor for heap corruption triggered via crafted HTML pages delivered remotely
  • Exploit delivery vector is a crafted HTML page; network-level detection should look for suspicious HTML/JS content targeting V8 engine parsing, especially from untrusted or anonymous sources
  • This vulnerability affects multiple Chromium-based browsers (Chrome, Edge, Opera); broaden detection scope beyond Chrome alone
  • Rockwell Automation Connected Components Workbench using CefSharp version 81.3.100 is a known vulnerable embedded-browser deployment; flag this version in OT/ICS environments
  • ·Exploits were reported by anonymous sources; no public PoC or exploit code details are available in the sources, limiting signature-based detection specificity
  • ·The fix version for Chromium-based browsers is 86.0.4240.198 (Chrome) or 87.0.4280.88 (Debian); detections based on version checks should use these thresholds

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa8.8HIGH
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.