CVE-2020-16010

CVSS 9.6 CRITICALEPSS 6.4%● KEVCWE-122

Vexday Risk Score

58Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.6EPSS 6.4%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

03 Nov 2020Published on NVD

03 Nov 2021Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A heap buffer overflow in Chrome's UI on Android allows an attacker who has already compromised the renderer process to escape the security sandbox and gain full device access. This is a critical vulnerability because it undermines Chrome's main defense mechanism.

Technical detail

Heap buffer overflow in the UI rendering component of Google Chrome on Android (versions prior to 86.0.4240.185) exploitable by a compromised renderer process through a crafted HTML page. The vulnerability enables sandbox escape, allowing potential elevation of privileges from renderer context to full system access. Attack vector requires prior code execution in the renderer process.

Summary generated and translated by AI from the official description.

Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Google · Chrome

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html https://crbug.com/1144368 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16010