#VU48790 Use of uninitialized resource in Google Chrome - CVE-2020-16042


| Updated: 2020-12-15

Vulnerability identifier: #VU48790

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-16042

CWE-ID: CWE-908

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google Chrome
Client/Desktop applications / Web browsers

Vendor: Google

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in V8 in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger uninitialized usage of resources and bypass implemented security mechanisms.

Mitigation
Update to version 87.0.4280.88.

Vulnerable software versions

Google Chrome: 84.0.4147.135 - 87.0.4280.66

External links
https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html
https://crbug.com/1151890

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Use of uninitialized resource in mozjs78 (Alpine package)
Ubuntu update for thunderbird
Use of uninitialized resource in thunderbird (Alpine package)
Debian update for chromium
Gentoo update for Mozilla Firefox, Mozilla Thunderbird
Red Hat Enterprise Linux 8 update for thunderbird
Red Hat Enterprise Linux 8.1 update for thunderbird
CentOS 7 update for thunderbird
Red Hat Enterprise Linux 8 update for thunderbird
Red Hat Enterprise Linux 8.2 update for thunderbird