CVE-2020-16045 – This is a use-after-free vulnerability in Googl... (How to Fix)

Q: What is the severity of CVE-2020-16045?

CVE-2020-16045 has a CVSS score of 9.6 (CRITICAL). This is a use-after-free vulnerability in Google Chrome's Payments component on Android that allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. Attackers could gain elevated privileges and execute arbitrary code on the affected device. Only users running vulnerable versions of Chrome on Android are affected.

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's Payments component on Android that allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. Attackers could gain elevated privileges and execute arbitrary code on the affected device. Only users running vulnerable versions of Chrome on Android are affected.

💻 Affected Systems

Products:

Google Chrome for Android

Versions: Versions prior to 87.0.4280.66

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Requires renderer process compromise first, then this vulnerability enables sandbox escape.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise - attacker escapes Chrome sandbox, gains system-level access, installs persistent malware, steals sensitive data, and controls the device.

🟠

Likely Case

Limited sandbox escape allowing installation of additional malware, credential theft, and surveillance capabilities within the compromised browser context.

🟢

If Mitigated

Attack contained within Chrome sandbox with minimal impact if proper security controls and updated versions are in place.

🌐 Internet-Facing: HIGH - Remote exploitation via crafted HTML pages makes internet-facing devices highly vulnerable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires chaining with renderer compromise first, but once achieved, sandbox escape is possible via crafted HTML.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 87.0.4280.66 and later

Vendor Advisory: https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for Chrome 3. Update to version 87.0.4280.66 or later 4. Restart Chrome after update

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to prevent exploitation via crafted HTML

chrome://settings/content/javascript

Use alternative browser

all

Switch to updated or unaffected browser until Chrome is patched

🧯 If You Can't Patch

Restrict browsing to trusted websites only
Implement network filtering to block malicious HTML content

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings > About Chrome. If version is below 87.0.4280.66, device is vulnerable.

Check Version:

chrome://version

Verify Fix Applied:

Confirm Chrome version is 87.0.4280.66 or higher in Settings > About Chrome.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with payments component errors
Unusual process creation from Chrome renderer

Network Indicators:

Requests to known exploit domains
Unusual HTML payloads in network traffic

SIEM Query:

source="chrome" AND (event_type="crash" OR process_name="chrome_renderer") AND message="payments"

📊 Metadata

CVE ID: CVE-2020-16045

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: January 14, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html Release Notes,Vendor Advisory
https://crbug.com/1125614 Permissions Required,Vendor Advisory
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html Release Notes,Vendor Advisory
https://crbug.com/1125614 Permissions Required,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-16045, you might also want to check these: