CVE-2020-6507
published 2020-07-22CVE-2020-6507: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
19.42%
97.0th percentile
Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 83.0.4103.106-1 | 83.0.4103.106-1 |
| chromium | chromium | >= 0 < 83.0.4103.106-1 | 83.0.4103.106-1 |
| chromium | chromium | >= 0 < 83.0.4103.106-1 | 83.0.4103.106-1 |
| chromium | chromium | >= 0 < 83.0.4103.106-1 | 83.0.4103.106-1 |
| debian | chromium | < chromium 83.0.4103.106-1 (bookworm) | chromium 83.0.4103.106-1 (bookworm) |
| chrome | < 83.0.4103.106 | 83.0.4103.106 | |
| chrome | >= unspecified < 83.0.4103.106 | 83.0.4103.106 | |
| chrome_chrome | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit triggers an out-of-bounds write in V8 by manipulating array lengths via Math.max and array.splice on a giant concatenated array (~0x40000 * 0x100 elements), corrupting adjacent array length fields. Monitor for JavaScript creating extremely large arrays via Array.prototype.concat.apply with many large sub-arrays. ↗
- →The exploit uses a crafted Float64Array/BigUint64Array conversion with the magic constant 0x2424242400000001n to encode a corrupted array length as a double. Detection of this constant in JavaScript heap or network traffic is a strong indicator of exploitation. ↗
- →The exploit searches memory for the marker value 0x13373n to locate an ArrayBuffer object for arbitrary read/write primitives. Presence of this value in V8 heap scanning loops is indicative of this exploit. ↗
- →The vulnerability is triggered via a crafted HTML page delivered remotely. Chrome versions prior to 83.0.4103.106 are affected; enforce version checks on Chrome deployments. ↗
- ·The public exploit targets Chrome 81.0.4044, but the CVE affects all Chrome versions prior to 83.0.4103.106. The exploit may require adaptation for other sub-versions in that range. ↗
- ·The exploit's memory search for the ArrayBuffer marker (0x13373n) uses a skip counter of 2 to avoid false positives from the search itself, meaning the exploit is sensitive to heap layout and may not be 100% reliable across all environments. ↗
- ·The RWX address calculation includes a conditional branch based on alignment of the wasm address (checking low nibble for 0x5 or 0xd), indicating the exploit has environment-specific heap alignment handling that may vary. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hqj4-jqvv-8f53: Out of bounds write in V8 in Google Chrome prior to 83
ghsa_unreviewed·2022-05-24
CVE-2020-6507 [MEDIUM] CWE-787 GHSA-hqj4-jqvv-8f53: Out of bounds write in V8 in Google Chrome prior to 83
Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
OSV
CVE-2020-6507: Out of bounds write in V8 in Google Chrome prior to 83
osv·2020-07-22·CVSS 8.8
CVE-2020-6507 [HIGH] CVE-2020-6507: Out of bounds write in V8 in Google Chrome prior to 83
Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Chrome
Stable Channel Update for Desktop: CVE-2020-6507
vendor_chrome·2020-06-15·CVSS 8.8
CVE-2020-6507 [HIGH] Stable Channel Update for Desktop: CVE-2020-6507
Stable Channel Update for Desktop
CVE-2020-6507: Out of bounds write in V8. Reported by Sergei Glazunov of Google Project Zero on 2020-05-27
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel
Severity: high
Red Hat
chromium-browser: Out of bounds write in V8
vendor_redhat·2020-06-15·CVSS 8.8
CVE-2020-6507 [HIGH] CWE-787 chromium-browser: Out of bounds write in V8
chromium-browser: Out of bounds write in V8
Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Debian
CVE-2020-6507: chromium - Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remo...
vendor_debian·2020·CVSS 8.8
CVE-2020-6507 [HIGH] CVE-2020-6507: chromium - Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remo...
Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 83.0.4103.106-1)
bullseye: resolved (fixed in 83.0.4103.106-1)
forky: resolved (fixed in 83.0.4103.106-1)
sid: resolved (fixed in 83.0.4103.106-1)
trixie: resolved (fixed in 83.0.4103.106-1)
No detection rules found.
Bugzilla
CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 chromium: various flaws [fedora-all]
bugzilla·2020-06-16·CVSS 9.6
CVE-2020-6505 [CRITICAL] CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 chromium: various flaws [fedora-all]
CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
Bugzilla
CVE-2020-6507 chromium-browser: Out of bounds write in V8
bugzilla·2020-06-16·CVSS 8.8
CVE-2020-6507 [HIGH] CVE-2020-6507 chromium-browser: Out of bounds write in V8
CVE-2020-6507 chromium-browser: Out of bounds write in V8
An out of bounds write flaw was found in the V8 component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=1086890
External References:
https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-all [bug 1847273]
Affects: fedora-all [bug 1847272]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2020:2643 https://access.redhat.com/errata/RHSA-2020:2643
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-6507
Bugzilla
CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 chromium: various flaws [epel-all]
bugzilla·2020-06-16·CVSS 9.6
CVE-2020-6505 [CRITICAL] CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 chromium: various flaws [epel-all]
CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 chromium: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
http://packetstormsecurity.com/files/162088/Google-Chrome-81.0.4044-V8-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162105/Google-Chrome-81.0.4044-V8-Remote-Code-Execution.htmlhttps://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.htmlhttps://crbug.com/1086890https://security.gentoo.org/glsa/202007-08http://packetstormsecurity.com/files/162088/Google-Chrome-81.0.4044-V8-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162105/Google-Chrome-81.0.4044-V8-Remote-Code-Execution.htmlhttps://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.htmlhttps://crbug.com/1086890https://security.gentoo.org/glsa/202007-08
2020-07-22
Published