Login Sign Up

CVE-2020-16003

8.8 HIGH

📋 TL;DR

This vulnerability is a use-after-free memory corruption flaw in Google Chrome's printing component. It allows remote attackers to potentially execute arbitrary code or cause denial of service by tricking users into visiting a malicious webpage. All Chrome users on affected versions are vulnerable.

💻 Affected Systems

Products:
  • Google Chrome
Versions: All versions prior to 86.0.4240.111
Operating Systems: Windows, macOS, Linux, Chrome OS
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Chrome installations are vulnerable; extensions or security settings don't mitigate this.

📦 What is this software?

Backports Sle by Opensuse

View all CVEs affecting Backports Sle →

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within Chrome's sandbox.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites that users might visit.
🏢 Internal Only: MEDIUM - Requires user interaction with malicious content, which could be delivered internally.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user to visit a crafted HTML page; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 86.0.4240.111 and later

Vendor Advisory: https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the patched version.

🔧 Temporary Workarounds

Disable Chrome auto-updates (temporary)

all

Prevents Chrome from updating automatically, but this is NOT recommended as it leaves systems vulnerable. Use only if patching immediately isn't possible and combined with other controls.

Windows: Disable via Group Policy or registry. Linux: Hold package with apt-mark hold google-chrome-stable. macOS: Remove update permissions.

🧯 If You Can't Patch

  • Use browser isolation or sandboxing technologies to contain potential exploits.
  • Block access to untrusted websites via web filtering or firewall rules.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if below 86.0.4240.111, it's vulnerable.

Check Version:

chrome://version/ in Chrome address bar, or on command line: google-chrome --version

Verify Fix Applied:

Confirm Chrome version is 86.0.4240.111 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash logs with memory corruption errors, unexpected process terminations.

Network Indicators:

  • Unusual outbound connections from Chrome post-visiting a webpage, exploit kit traffic patterns.

SIEM Query:

source="chrome_logs" AND (event="crash" OR event="memory_error") AND version<"86.0.4240.111"

📊 Metadata

CVE ID: CVE-2020-16003
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: November 3, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-16003, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)