Login Sign Up

CVE-2019-13689

7.8 HIGH

📋 TL;DR

This critical vulnerability in ChromeOS allowed attackers to perform arbitrary read/write operations via malicious files, potentially leading to system compromise. It affected Google Chrome on ChromeOS versions prior to 75.0.3770.80. Users who didn't update their ChromeOS devices were vulnerable to exploitation.

💻 Affected Systems

Products:
  • Google Chrome on ChromeOS
Versions: All versions prior to 75.0.3770.80
Operating Systems: ChromeOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects ChromeOS devices running vulnerable Chrome versions. Does not affect Chrome on other operating systems.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to read sensitive files, install persistent malware, or modify system files for privilege escalation.

🟠

Likely Case

Data theft, installation of malicious software, or system instability from unauthorized file modifications.

🟢

If Mitigated

No impact if systems are patched or isolated from untrusted file sources.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction with malicious files. No public exploit code was released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 75.0.3770.80 and later

Vendor Advisory: https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-chrome-os.html

Restart Required: Yes

Instructions:

1. Open ChromeOS settings 2. Click 'About Chrome OS' 3. Click 'Check for updates' 4. Install available updates 5. Restart device when prompted

🔧 Temporary Workarounds

Disable automatic file downloads

all

Configure Chrome to ask before downloading files to prevent automatic execution of malicious files

chrome://settings/content/automaticDownloads

🧯 If You Can't Patch

  • Isolate ChromeOS devices from untrusted networks and file sources
  • Implement application whitelisting to prevent execution of unauthorized files

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings > About Chrome OS. If version is below 75.0.3770.80, device is vulnerable.

Check Version:

chrome://version

Verify Fix Applied:

Confirm Chrome version is 75.0.3770.80 or higher in Settings > About Chrome OS.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file system modifications
  • Chrome crash reports with memory corruption indicators
  • Unusual process spawning from Chrome

Network Indicators:

  • Downloads of suspicious file types to ChromeOS devices
  • Outbound connections from ChromeOS to unknown destinations post-file download

SIEM Query:

source="chromeos" AND (event="file_modification" OR event="chrome_crash") AND version<"75.0.3770.80"

📊 Metadata

CVE ID: CVE-2019-13689
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: August 25, 2023
Last Updated: May 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13689, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)