cbcvebase.
CVE-2020-6507
published 2020-07-22

CVE-2020-6507: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
19.42%
97.0th percentile
Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

8 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 83.0.4103.106-183.0.4103.106-1
chromiumchromium>= 0 < 83.0.4103.106-183.0.4103.106-1
chromiumchromium>= 0 < 83.0.4103.106-183.0.4103.106-1
chromiumchromium>= 0 < 83.0.4103.106-183.0.4103.106-1
debianchromium< chromium 83.0.4103.106-1 (bookworm)chromium 83.0.4103.106-1 (bookworm)
googlechrome< 83.0.4103.10683.0.4103.106
googlechrome>= unspecified < 83.0.4103.10683.0.4103.106
googlechrome_chrome

Detection & IOCsextracted from sources · hover to see the quote

versionGoogle Chrome 81.0.4044 V8 - Remote Code Execution
  • The exploit triggers an out-of-bounds write in V8 by manipulating array lengths via Math.max and array.splice on a giant concatenated array (~0x40000 * 0x100 elements), corrupting adjacent array length fields. Monitor for JavaScript creating extremely large arrays via Array.prototype.concat.apply with many large sub-arrays.
  • The exploit uses a crafted Float64Array/BigUint64Array conversion with the magic constant 0x2424242400000001n to encode a corrupted array length as a double. Detection of this constant in JavaScript heap or network traffic is a strong indicator of exploitation.
  • The exploit searches memory for the marker value 0x13373n to locate an ArrayBuffer object for arbitrary read/write primitives. Presence of this value in V8 heap scanning loops is indicative of this exploit.
  • The vulnerability is triggered via a crafted HTML page delivered remotely. Chrome versions prior to 83.0.4103.106 are affected; enforce version checks on Chrome deployments.
  • ·The public exploit targets Chrome 81.0.4044, but the CVE affects all Chrome versions prior to 83.0.4103.106. The exploit may require adaptation for other sub-versions in that range.
  • ·The exploit's memory search for the ArrayBuffer marker (0x13373n) uses a skip counter of 2 to avoid false positives from the search itself, meaning the exploit is sensitive to heap layout and may not be 100% reliable across all environments.
  • ·The RWX address calculation includes a conditional branch based on alignment of the wasm address (checking low nibble for 0x5 or 0xd), indicating the exploit has environment-specific heap alignment handling that may vary.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.