CVE-2020-16017

CVSS 9.6 CRITICALEPSS 2.7%● KEVCWE-416

Vexday Risk Score

58Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.6EPSS 2.7%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

08 Jan 2021Published on NVD

03 Nov 2021Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A memory flaw in Google Chrome allowed attackers who compromised the browser's rendering process to escape the security sandbox through a specially crafted webpage. This could give them access to your system beyond the browser's protections.

Technical detail

Use-after-free vulnerability in Chrome's site isolation mechanism (CWE-416) permitted sandbox escape when renderer process was compromised. Attack vector requires prior renderer compromise; impact is sandbox escape with potential system-level code execution. Affected versions prior to 86.0.4240.198.

Summary generated and translated by AI from the official description.

Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Google · Chrome

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html https://crbug.com/1146709 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16017