CVE-2020-6382 – This is a type confusion vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2020-6382?

CVE-2020-6382 has a CVSS score of 8.8 (HIGH). This is a type confusion vulnerability in Chrome's JavaScript engine that could allow an attacker to corrupt heap memory. Attackers can exploit this by tricking users into visiting a malicious webpage, potentially leading to arbitrary code execution. All users of affected Chrome versions are vulnerable.

📋 TL;DR

This is a type confusion vulnerability in Chrome's JavaScript engine that could allow an attacker to corrupt heap memory. Attackers can exploit this by tricking users into visiting a malicious webpage, potentially leading to arbitrary code execution. All users of affected Chrome versions are vulnerable.

💻 Affected Systems

Products:

Google Chrome

Versions: Prior to 80.0.3987.87

Operating Systems: Windows, macOS, Linux, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome installations are vulnerable. Other Chromium-based browsers may also be affected.

📦 What is this software?

Backports Sle by Opensuse

View all CVEs affecting Backports Sle →

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the Chrome process, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within the sandboxed Chrome process.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires bypassing Chrome's sandbox and other security mitigations, making reliable exploitation challenging.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 80.0.3987.87

Vendor Advisory: https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click Relaunch to restart Chrome.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents JavaScript execution, which blocks the attack vector but breaks most websites.

Use browser extensions to block malicious sites

all

Extensions like uBlock Origin or NoScript can help block malicious content.

🧯 If You Can't Patch

Restrict access to untrusted websites using web filtering or proxy rules.
Implement application whitelisting to prevent unauthorized code execution.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings > About Chrome. If version is below 80.0.3987.87, it's vulnerable.

Check Version:

google-chrome --version

Verify Fix Applied:

Confirm Chrome version is 80.0.3987.87 or higher in Settings > About Chrome.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Unexpected process termination events

Network Indicators:

Requests to known malicious domains hosting exploit code

SIEM Query:

source="chrome" AND (event="crash" OR event="process_termination")

📊 Metadata

CVE ID: CVE-2020-6382

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-843

Published: February 11, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0514 Third Party Advisory
https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1031909 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4638 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0514 Third Party Advisory
https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1031909 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4638 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6382, you might also want to check these: