cbcvebase.
CVE-2020-16040
published 2021-01-08

CVE-2020-16040: Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…

PriorityP279medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
99.59%
99.9th percentile
Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

8 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 87.0.4280.88-0.187.0.4280.88-0.1
chromiumchromium>= 0 < 87.0.4280.88-0.187.0.4280.88-0.1
chromiumchromium>= 0 < 87.0.4280.88-0.187.0.4280.88-0.1
chromiumchromium>= 0 < 87.0.4280.88-0.187.0.4280.88-0.1
debianchromium< chromium 87.0.4280.88-0.1 (bookworm)chromium 87.0.4280.88-0.1 (bookworm)
googlechrome< 87.0.4280.8887.0.4280.88
googlechrome>= unspecified < 87.0.4280.8887.0.4280.88
googlechrome_chrome

Detection & IOCsextracted from sources · hover to see the quote

cookieHm_lvt_
filename___unique_id___
  • CVE-2020-16040 exploitation script delivered via PeckBirdy C&C framework targeting Google Chrome browsers; look for watering-hole injections on gambling and government websites that load remote JScript payloads.
  • CVE-2020-16040 is an integer overflow in V8's SimplifiedLowering/TurboFan phase; exploit uses ArrayPrototypeShift to create a JSArray with length -1, then achieves arbitrary read/write via ArrayBuffer and executes shellcode via WebAssembly RWX page.
  • PeckBirdy victim tracking: monitor for creation of a file named ___unique_id___ in the Windows %TEMP% folder, which is used to persist the victim ID across executions.
  • PeckBirdy uses cookie prefix Hm_lvt_ (mimicking a legitimate analytics service) to store victim IDs in browser cookies; detect anomalous Hm_lvt_ cookies set by non-legitimate analytics domains.
  • PeckBirdy delivers fake Chrome update social engineering pages to victims; monitor for browser processes spawning unexpected child processes after visiting gambling or government sites.
  • CVE-2020-16040 exploit requires --no-sandbox Chrome flag to execute payload outside the renderer sandbox; alert on Chrome launched with --no-sandbox in enterprise environments.
  • ·CVE-2020-16040 affects Google Chrome versions prior to 87.0.4280.88 (64-bit); the exploit is only reliably weaponized against that specific version range.
  • ·PeckBirdy falls back to Adobe Flash ActiveX TCP socket communication for older environments; this fallback path is only relevant for legacy systems where Flash was not removed.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vulncheck6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.