CVE-2020-15993 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2020-15993?

CVE-2020-15993 has a CVSS score of 9.8 (CRITICAL). This is a use-after-free vulnerability in Chrome's printing component that allows remote attackers to potentially exploit heap corruption. Attackers can trigger this by tricking users into visiting a malicious HTML page. All Chrome users on versions prior to 86.0.4240.99 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's printing component that allows remote attackers to potentially exploit heap corruption. Attackers can trigger this by tricking users into visiting a malicious HTML page. All Chrome users on versions prior to 86.0.4240.99 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 86.0.4240.99

Operating Systems: Windows, macOS, Linux, Android, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Extensions or security settings don't mitigate this.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within Chrome's sandbox.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Attackers can host malicious pages on the internet and target any Chrome user.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit requires user interaction (visiting malicious page). The bug report (crbug.com/1133983) contains technical details that could aid exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 86.0.4240.99 and later

Vendor Advisory: https://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click menu (three dots) > Help > About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents malicious HTML from executing JavaScript that could trigger the vulnerability.

Use browser extensions to block scripts

all

Extensions like NoScript or uBlock Origin can block malicious scripts.

🧯 If You Can't Patch

Restrict access to untrusted websites using web filtering or proxy policies.
Implement application whitelisting to prevent unauthorized code execution if exploitation occurs.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if below 86.0.4240.99, you are vulnerable.

Check Version:

On Chrome: chrome://version/ or in terminal: google-chrome --version

Verify Fix Applied:

Confirm Chrome version is 86.0.4240.99 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash logs with printing-related stack traces
Unexpected Chrome process termination

Network Indicators:

HTTP requests to suspicious domains hosting HTML pages
Unusual printing-related network activity

SIEM Query:

source="chrome_logs" AND (event="crash" OR event="process_termination") AND message="printing"

📊 Metadata

CVE ID: CVE-2020-15993

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: November 3, 2020

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html Release Notes,Vendor Advisory
https://crbug.com/1133983 Permissions Required,Vendor Advisory
https://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html Release Notes,Vendor Advisory
https://crbug.com/1133983 Permissions Required,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15993, you might also want to check these: