Login Sign Up

CVE-2019-13690

9.6 CRITICAL

📋 TL;DR

This vulnerability allows a remote attacker to escalate privileges to OS-level on ChromeOS devices by tricking a user into opening a malicious file. It affects ChromeOS devices running Google Chrome versions before 75.0.3770.80. The attacker could gain full control of the device.

💻 Affected Systems

Products:
  • Google Chrome on ChromeOS
Versions: All versions prior to 75.0.3770.80
Operating Systems: ChromeOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects ChromeOS devices, not other operating systems running Chrome browser.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of ChromeOS device with root-level access, allowing installation of persistent malware, data theft, and device takeover.

🟠

Likely Case

Attacker gains elevated privileges to install malicious software, access sensitive files, or pivot to other systems on the network.

🟢

If Mitigated

Limited impact if device is isolated, has strict file execution policies, or user doesn't open untrusted files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction (opening malicious file). Technical details and proof-of-concept are publicly available in Chromium bug reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 75.0.3770.80 and later

Vendor Advisory: https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-chrome-os.html

Restart Required: Yes

Instructions:

1. Open ChromeOS settings 2. Click 'About Chrome OS' 3. Click 'Check for updates' 4. Install any available updates 5. Restart device when prompted

🔧 Temporary Workarounds

Disable automatic file execution

all

Configure ChromeOS to require explicit user permission before executing downloaded files

Restrict file downloads

all

Use enterprise policies to block file downloads from untrusted sources

🧯 If You Can't Patch

  • Isolate affected ChromeOS devices from critical networks
  • Implement strict user education about opening untrusted files

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings > About Chrome OS. If version is below 75.0.3770.80, device is vulnerable.

Check Version:

chrome://version in Chrome browser address bar

Verify Fix Applied:

Confirm Chrome version is 75.0.3770.80 or higher in Settings > About Chrome OS.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation events
  • Suspicious file execution from downloads
  • Unusual process creation with elevated privileges

Network Indicators:

  • Downloads of suspicious files followed by unusual outbound connections

SIEM Query:

source="chromeos" AND (event_type="privilege_escalation" OR process_name="chrome" AND parent_process="unexpected")

📊 Metadata

CVE ID: CVE-2019-13690
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-269
Published: August 25, 2023
Last Updated: May 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13690, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)