CVE-2019-13764 – This vulnerability is a type confusion flaw in ... (How to Fix)

Q: What is the severity of CVE-2019-13764?

CVE-2019-13764 has a CVSS score of 8.8 (HIGH). This vulnerability is a type confusion flaw in Chrome's JavaScript engine that could allow an attacker to execute arbitrary code or cause heap corruption. It affects users running Google Chrome versions before 79.0.3945.79. Attackers can exploit this by tricking users into visiting a malicious webpage.

📋 TL;DR

This vulnerability is a type confusion flaw in Chrome's JavaScript engine that could allow an attacker to execute arbitrary code or cause heap corruption. It affects users running Google Chrome versions before 79.0.3945.79. Attackers can exploit this by tricking users into visiting a malicious webpage.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 79.0.3945.79

Operating Systems: Windows, macOS, Linux, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Extensions or security settings don't mitigate this vulnerability.

📦 What is this software?

Backports Sle by Opensuse

View all CVEs affecting Backports Sle →

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash, denial of service, or limited code execution within the browser sandbox.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites that any user might visit.

🏢 Internal Only: MEDIUM - Could be exploited via internal phishing campaigns or compromised internal sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious page). The bug report (crbug.com/1028863) contains technical details that could aid exploit development.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 79.0.3945.79 and later

Vendor Advisory: https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the updated version.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents JavaScript execution which blocks the attack vector, but breaks most website functionality.

chrome://settings/content/javascript → Block

Use Chrome Enterprise policies

all

Deploy update policies to force Chrome updates across the organization.

Configure AutoUpdateCheckPeriodMinutes and UpdateDefault policies

🧯 If You Can't Patch

Use alternative browsers that are not vulnerable to this specific Chrome flaw.
Implement web filtering to block known malicious sites and restrict browsing to trusted domains only.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if below 79.0.3945.79, the system is vulnerable.

Check Version:

On Chrome: chrome://version/ or 'google-chrome --version' in terminal

Verify Fix Applied:

Confirm Chrome version is 79.0.3945.79 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption errors
Unexpected Chrome process termination

Network Indicators:

Requests to suspicious domains with crafted JavaScript payloads

SIEM Query:

source="chrome_logs" AND (event="crash" OR event="memory_error") AND version<79.0.3945.79

📊 Metadata

CVE ID: CVE-2019-13764

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-843

Published: December 10, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4238 Third Party Advisory
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1028863 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
https://seclists.org/bugtraq/2020/Jan/27 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4606 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4238 Third Party Advisory
https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1028863 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/
https://seclists.org/bugtraq/2020/Jan/27 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4606 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13764, you might also want to check these: