CVE-2019-13723 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2019-13723?

CVE-2019-13723 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Chrome's WebBluetooth implementation that allows a remote attacker who has already compromised the renderer process to potentially exploit heap corruption. Attackers could execute arbitrary code or cause denial of service. Users of Google Chrome prior to version 78.0.3904.108 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's WebBluetooth implementation that allows a remote attacker who has already compromised the renderer process to potentially exploit heap corruption. Attackers could execute arbitrary code or cause denial of service. Users of Google Chrome prior to version 78.0.3904.108 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 78.0.3904.108

Operating Systems: Windows, Linux, macOS, Android, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WebBluetooth feature to be enabled and accessible (typically requires HTTPS context)

📦 What is this software?

Backports by Opensuse

View all CVEs affecting Backports →

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment

🟠

Likely Case

Browser crash/denial of service or limited code execution within sandboxed renderer process

🟢

If Mitigated

Browser crash with no further impact if sandboxing holds and no additional vulnerabilities are chained

🌐 Internet-Facing: HIGH - Can be triggered via crafted HTML page from any website

🏢 Internal Only: MEDIUM - Requires user to visit malicious site or content

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires renderer process compromise first, then can be used to escalate privileges or escape sandbox

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 78.0.3904.108 and later

Vendor Advisory: https://chromereleases.googleblog.com/2019/11/stable-channel-update-for-desktop_18.html

Restart Required: Yes

Instructions:

1. Open Chrome menu > Help > About Google Chrome. 2. Chrome will automatically check for updates. 3. If update available, click 'Relaunch' to apply. 4. For enterprise deployments, use Chrome Enterprise policies to push updates.

🔧 Temporary Workarounds

Disable WebBluetooth

all

Disable the WebBluetooth API to prevent exploitation

chrome://flags/#enable-web-bluetooth
Set to 'Disabled'

Use Chrome Enterprise policies

all

Disable WebBluetooth via enterprise policies

Set 'DefaultWebBluetoothGuardSetting' to 2 (Block)

🧯 If You Can't Patch

Disable WebBluetooth feature via chrome://flags or enterprise policies
Restrict access to untrusted websites and implement web filtering

🔍 How to Verify

Check if Vulnerable:

Check Chrome version via chrome://version or 'About Google Chrome' - if version is below 78.0.3904.108, system is vulnerable

Check Version:

On Linux: google-chrome --version | On Windows: reg query "HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon" /v version

Verify Fix Applied:

Confirm Chrome version is 78.0.3904.108 or higher via chrome://version

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with WebBluetooth-related stack traces
Unexpected renderer process terminations

Network Indicators:

HTTP requests to known exploit hosting domains
Unusual WebBluetooth API usage patterns

SIEM Query:

source="chrome_crash_reports" AND (process="renderer" OR module="bluetooth") AND severity="HIGH"

📊 Metadata

CVE ID: CVE-2019-13723

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: November 25, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00035.html Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3955 Third Party Advisory
https://chromereleases.googleblog.com/2019/11/stable-channel-update-for-desktop_18.html Vendor Advisory
https://crbug.com/1024121 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54XWRJ5LDFL27QXBPIBX3EHO4TPMKN4R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USW7PGIHNPE6W3LGY6ZDFLELQGSL52CH/
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00035.html Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3955 Third Party Advisory
https://chromereleases.googleblog.com/2019/11/stable-channel-update-for-desktop_18.html Vendor Advisory
https://crbug.com/1024121 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54XWRJ5LDFL27QXBPIBX3EHO4TPMKN4R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USW7PGIHNPE6W3LGY6ZDFLELQGSL52CH/
https://security.gentoo.org/glsa/202003-08 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13723, you might also want to check these: