CVE-2019-13736 – This CVE describes an integer overflow vulnerab... (How to Fix)

Q: What is the severity of CVE-2019-13736?

CVE-2019-13736 has a CVSS score of 8.8 (HIGH). This CVE describes an integer overflow vulnerability in PDFium, Chrome's PDF rendering engine, that could allow heap corruption when processing malicious PDF files. Attackers could potentially execute arbitrary code or crash the browser. All Chrome users prior to version 79.0.3945.79 are affected.

📋 TL;DR

This CVE describes an integer overflow vulnerability in PDFium, Chrome's PDF rendering engine, that could allow heap corruption when processing malicious PDF files. Attackers could potentially execute arbitrary code or crash the browser. All Chrome users prior to version 79.0.3945.79 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers
Applications using PDFium library

Versions: All versions prior to 79.0.3945.79

Operating Systems: Windows, macOS, Linux, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome installations with PDF viewing enabled are vulnerable.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Browser crash (denial of service) or limited code execution in sandboxed context.

🟢

If Mitigated

No impact if Chrome is fully patched or PDF rendering is disabled.

🌐 Internet-Facing: HIGH - Attackers can host malicious PDFs on websites or send via email.

🏢 Internal Only: MEDIUM - Risk exists if users open malicious PDFs from internal sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (opening PDF) but no authentication. Heap corruption exploitation requires additional techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 79.0.3945.79 and later

Vendor Advisory: https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome settings > Help > About Google Chrome. 2. Chrome will automatically check for and install updates. 3. Click 'Relaunch' to restart Chrome with the patched version.

🔧 Temporary Workarounds

Disable Chrome PDF Viewer

all

Use external PDF reader instead of built-in Chrome PDFium

chrome://settings/content/pdfDocuments
Toggle 'Download PDF files instead of automatically opening them in Chrome'

Block PDF downloads

all

Use web proxy or firewall to block .pdf file downloads

🧯 If You Can't Patch

Use alternative browsers without PDFium for PDF viewing
Implement application whitelisting to block Chrome execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if version is less than 79.0.3945.79, system is vulnerable.

Check Version:

chrome://version/ or 'google-chrome --version' (Linux) or check About Chrome in settings

Verify Fix Applied:

Verify Chrome version is 79.0.3945.79 or higher.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Unexpected process termination
Security event logs showing PDF file access

Network Indicators:

PDF file downloads from untrusted sources
Unusual outbound connections after PDF opening

SIEM Query:

source="chrome" AND (event="crash" OR event="process_termination") AND file_extension="pdf"

📊 Metadata

CVE ID: CVE-2019-13736

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: December 10, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html Broken Link
https://access.redhat.com/errata/RHSA-2019:4238 Third Party Advisory
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1020899 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
https://seclists.org/bugtraq/2020/Jan/27 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4606 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html Broken Link
https://access.redhat.com/errata/RHSA-2019:4238 Third Party Advisory
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1020899 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
https://seclists.org/bugtraq/2020/Jan/27 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4606 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13736, you might also want to check these: