Multiple vulnerabilities in Google Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 27 |
| CVE-ID | CVE-2020-15982 CVE-2020-6557 CVE-2020-15977 CVE-2020-15978 CVE-2020-15979 CVE-2020-15980 CVE-2020-15981 CVE-2020-15983 CVE-2020-15975 CVE-2020-15984 CVE-2020-15985 CVE-2020-15986 CVE-2020-15987 CVE-2020-15992 CVE-2020-15988 CVE-2020-15989 CVE-2020-15976 CVE-2020-15974 CVE-2020-15967 CVE-2020-15973 CVE-2020-15968 CVE-2020-15969 CVE-2020-15970 CVE-2020-15971 CVE-2020-15972 CVE-2020-15990 CVE-2020-15991 |
| CWE-ID | CWE-310 CWE-358 CWE-20 CWE-264 CWE-125 CWE-190 CWE-416 CWE-908 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 27 vulnerabilities.
1) Cryptographic issues
EUVDB-ID: #VU47374
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15982
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to side-channel information leak in cache. Chrome Medium. A remote attacker can create a specially crafted web page, trick the victim into opening it and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1039882
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improperly implemented security check for standard
EUVDB-ID: #VU47368
Risk: High
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-6557
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in networking in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1083278
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU47369
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15977
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in dialogs in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1097724
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU47370
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15978
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1116280
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improperly implemented security check for standard
EUVDB-ID: #VU47371
Risk: High
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15979
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in V8 in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1127319
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU47372
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15980
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in Intents in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1092453
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU47373
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15981
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the audio component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1123023
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU47375
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15983
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in webUI in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1076786
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Integer overflow
EUVDB-ID: #VU47393
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15975
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a integer overflow in SwiftShader in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and crash the browser.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1110800
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU47376
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15984
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in Omnibox in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1080395
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improperly implemented security check for standard
EUVDB-ID: #VU47377
Risk: High
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15985
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Blink in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1099276
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Integer overflow
EUVDB-ID: #VU47394
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15986
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a integer overflow in media in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and crash the browser.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1100247
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Use-after-free
EUVDB-ID: #VU47378
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15987
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within WebRTC in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1127774
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU47379
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15992
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in networking in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1110195
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU47380
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-15988
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in downloads in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1092518
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Use of uninitialized resource
EUVDB-ID: #VU47381
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-15989
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to usage of uninitialized resources in PDFium in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1108351
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Use-after-free
EUVDB-ID: #VU47367
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15976
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within WebXR in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1123522
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Integer overflow
EUVDB-ID: #VU47392
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15974
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a integer overflow in Blink in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and crash the browser.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1104103
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Use-after-free
EUVDB-ID: #VU47358
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15967
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the payments component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1127322
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU47366
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15973
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in extensions in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1106890
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Use-after-free
EUVDB-ID: #VU47359
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15968
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Blink component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1126424
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Use-after-free
EUVDB-ID: #VU47360
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15969
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the usersctp library. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1124659
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Use-after-free
EUVDB-ID: #VU47361
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15970
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the NFC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1108299
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Use-after-free
EUVDB-ID: #VU47362
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15971
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the printing component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1114062
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Use-after-free
EUVDB-ID: #VU47363
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15972
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the audio component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1115901
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Use-after-free
EUVDB-ID: #VU47364
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15990
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the autofill component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1133671
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Use-after-free
EUVDB-ID: #VU47365
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15991
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the password manager component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 86.0.4240.75.
Vulnerable software versionsGoogle Chrome: 83.0.4103.97 - 85.0.4183.121
CPE2.3- cpe:2.3:a:google:google_chrome:83.0.4103.97:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.106:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:83.0.4103.116:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
https://crbug.com/1133688
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
