Multiple vulnerabilities in Google Chrome for Android
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2020-13871 CVE-2020-15358 CVE-2020-15993 CVE-2020-15994 CVE-2020-15995 CVE-2020-15996 CVE-2020-15997 CVE-2020-15998 |
| CWE-ID | CWE-416 CWE-787 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Chrome for Android Mobile applications / Apps for mobile phones |
| Vendor |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU28773
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-13871
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in resetAccumulator() function in select.c. A remote attacker can pass specially crafted data to the application, trigger a use-after-free error and crash the service or execute arbitrary code on the target system
Install update from vendor's website.
Vulnerable software versionsGoogle Chrome for Android: before 86.0.4240.99
CPE2.3 External linkshttps://www.sqlite.org/src/info/79eff1d0383179c4
https://www.sqlite.org/src/info/c8d3b9f0a750a529
https://www.sqlite.org/src/info/cd708fa84d2aaaea
https://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1117367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU30165
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-15358
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome for Android: before 86.0.4240.99
CPE2.3 External linkshttps://security.netapp.com/advisory/ntap-20200709-0001/
https://www.sqlite.org/src/info/10fa79d00f8091e5
https://www.sqlite.org/src/timeline?p=version-3.32.3&bt=version-3.32.2
https://www.sqlite.org/src/tktview?name=8f157e8010
https://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1117367
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU47723
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15993
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in printing. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGoogle Chrome for Android: before 86.0.4240.99
CPE2.3 External linkshttps://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1133983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free
EUVDB-ID: #VU47724
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15994
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in V8. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGoogle Chrome for Android: before 86.0.4240.99
CPE2.3 External linkshttps://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1117258
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds write
EUVDB-ID: #VU47725
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15995
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in V8. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGoogle Chrome for Android: before 86.0.4240.99
CPE2.3 External linkshttps://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1132111
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU47726
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15996
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in passwords. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGoogle Chrome for Android: before 86.0.4240.99
CPE2.3 External linkshttps://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1133635
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU47727
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15997
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Mojo. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGoogle Chrome for Android: before 86.0.4240.99
CPE2.3 External linkshttps://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1133668
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Use-after-free
EUVDB-ID: #VU47728
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-15998
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in USB. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGoogle Chrome for Android: before 86.0.4240.99
CPE2.3 External linkshttps://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1135857
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
