cbcvebase.
CVE-2020-6418
published 2020-02-27

CVE-2020-6418: Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

PriorityP191high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
78.81%
99.5th percentile
Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

15 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 80.0.3987.122-180.0.3987.122-1
chromiumchromium>= 0 < 80.0.3987.122-180.0.3987.122-1
chromiumchromium>= 0 < 80.0.3987.122-180.0.3987.122-1
chromiumchromium>= 0 < 80.0.3987.122-180.0.3987.122-1
debianchromium< chromium 80.0.3987.122-1 (bookworm)chromium 80.0.3987.122-1 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 80.0.3987.12280.0.3987.122
googlechrome>= unspecified < 80.0.3987.12280.0.3987.122
googlechrome_chrome
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation

Detection & IOCsextracted from sources · hover to see the quote

versionGoogle Chrome 80.0.3987.87 (64 bit)
command--no-sandbox
bytes
0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb
  • The exploit targets Google Chrome 80.0.3987.87 (64-bit) via a type confusion in V8's JSCreate side-effect path. Detection should focus on Chrome renderer processes spawned with --no-sandbox, as the exploit requires this flag for payload execution outside the sandbox.
  • The exploit uses WebAssembly to allocate an RWX memory region and overwrites it with shellcode. Monitor for WebAssembly module instantiation (WebAssembly.Instance/WebAssembly.Module) immediately followed by shellcode writes to RWX pages in Chrome renderer processes.
  • The exploit corrupts the length of a float array (float_rel) for out-of-bounds read/write, then uses a UInt64Array (uint64_aarw) for absolute memory access. V8 heap corruption involving typed array length manipulation is a key behavioral indicator.
  • The exploit triggers the bug via Reflect.construct with a Proxy new.target inside an array push operation. Detecting JavaScript patterns combining Reflect.construct, Proxy objects, and array push in tight loops may indicate exploitation attempts.
  • The exploit delivers a crafted HTML page with inline JavaScript. HTTP responses with Content-Type text/html and Cache-Control: no-cache, no-store, must-revalidate headers containing the exploit JS pattern should be flagged.
  • Check Point IPS blade signature name for this CVE is 'Google Chrome Type Confusion (CVE-2020-6418)' — use this as a reference signature name when searching IPS/NIDS logs.
  • The Chromium bug tracker ID for this vulnerability is 1053604. Use this ID to correlate patch notes, crash reports, and exploit references.
  • ·The Metasploit exploit module only targets Chrome 80.0.3987.87 (64-bit) on Windows 10 and macOS. It requires the browser to be launched with --no-sandbox; exploitation against sandboxed Chrome instances will not result in payload execution.
  • ·Detailed technical information about the vulnerability was restricted at time of initial disclosure to allow users time to patch. Full details may have become available later.
  • ·No public proof-of-concept was available at the time of Tenable's initial blog post, though in-the-wild exploitation was confirmed by Google.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.