CVE-2019-13734
📋 TL;DR
This vulnerability is an out-of-bounds write in SQLite within Google Chrome that could allow a remote attacker to exploit heap corruption via a crafted HTML page. Attackers could potentially execute arbitrary code or cause denial of service. Users of affected Chrome versions are at risk when visiting malicious websites.
💻 Affected Systems
- Google Chrome
📦 What is this software?
Backports Sle by Opensuse
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Fedora by Fedoraproject
Fedora by Fedoraproject
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Browser crash (denial of service) or limited code execution within browser sandbox.
If Mitigated
Minimal impact if Chrome sandboxing works properly, potentially just browser crash.
🎯 Exploit Status
Exploitation requires bypassing Chrome's sandbox and other security mitigations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 79.0.3945.79 and later
Vendor Advisory: https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html
Restart Required: Yes
Instructions:
1. Open Chrome 2. Click menu (three dots) → Help → About Google Chrome 3. Chrome will automatically check for and install updates 4. Click 'Relaunch' to restart Chrome
🔧 Temporary Workarounds
Disable JavaScript
allPrevents execution of malicious JavaScript that could trigger the vulnerability
chrome://settings/content/javascript → Block
Use Site Isolation
allEnhances Chrome's site isolation feature to limit impact
chrome://flags/#enable-site-per-process → Enable
🧯 If You Can't Patch
- Restrict browsing to trusted websites only
- Deploy web filtering to block malicious sites
- Use alternative browser temporarily
🔍 How to Verify
Check if Vulnerable:
Check Chrome version: If version is less than 79.0.3945.79, system is vulnerable.Check Version:
google-chrome --version (Linux) or chrome://version (all platforms)Verify Fix Applied:
Confirm Chrome version is 79.0.3945.79 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Chrome crash reports
- Unexpected process termination logs
- Sandbox escape attempts
Network Indicators:
- Requests to known malicious domains hosting exploit code
- Unusual outbound connections from Chrome processes
SIEM Query:
source="chrome" AND (event="crash" OR event="process_termination") AND version<"79.0.3945.79"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html
- https://access.redhat.com/errata/RHSA-2019:4238
- https://access.redhat.com/errata/RHSA-2020:0227
- https://access.redhat.com/errata/RHSA-2020:0229
- https://access.redhat.com/errata/RHSA-2020:0273
- https://access.redhat.com/errata/RHSA-2020:0451
- https://access.redhat.com/errata/RHSA-2020:0463
- https://access.redhat.com/errata/RHSA-2020:0476
- https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html
- https://crbug.com/1025466
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
- https://seclists.org/bugtraq/2020/Jan/27
- https://security.gentoo.org/glsa/202003-08
- https://usn.ubuntu.com/4298-1/
- https://usn.ubuntu.com/4298-2/
- https://www.debian.org/security/2020/dsa-4606
- https://www.oracle.com/security-alerts/cpujan2022.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html
- https://access.redhat.com/errata/RHSA-2019:4238
- https://access.redhat.com/errata/RHSA-2020:0227
- https://access.redhat.com/errata/RHSA-2020:0229
- https://access.redhat.com/errata/RHSA-2020:0273
- https://access.redhat.com/errata/RHSA-2020:0451
- https://access.redhat.com/errata/RHSA-2020:0463
- https://access.redhat.com/errata/RHSA-2020:0476
- https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html
- https://crbug.com/1025466
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
- https://seclists.org/bugtraq/2020/Jan/27
- https://security.gentoo.org/glsa/202003-08
- https://usn.ubuntu.com/4298-1/
- https://usn.ubuntu.com/4298-2/
- https://www.debian.org/security/2020/dsa-4606
- https://www.oracle.com/security-alerts/cpujan2022.html
