CVE-2020-6404 – This vulnerability in Google Chrome's Blink ren... (How to Fix)

Q: What is the severity of CVE-2020-6404?

CVE-2020-6404 has a CVSS score of 8.8 (HIGH). This vulnerability in Google Chrome's Blink rendering engine allows remote attackers to potentially execute arbitrary code or cause denial of service via heap corruption. Attackers can exploit this by tricking users into visiting a malicious website. All users of affected Chrome versions are at risk.

📋 TL;DR

This vulnerability in Google Chrome's Blink rendering engine allows remote attackers to potentially execute arbitrary code or cause denial of service via heap corruption. Attackers can exploit this by tricking users into visiting a malicious website. All users of affected Chrome versions are at risk.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: Versions prior to 80.0.3987.87

Operating Systems: Windows, macOS, Linux, Android, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Extensions or security settings don't mitigate this.

📦 What is this software?

Backports Sle by Opensuse

View all CVEs affecting Backports Sle →

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within browser sandbox.

🟢

If Mitigated

Minimal impact if browser sandbox contains the exploit or if exploit fails.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites without user interaction beyond visiting the site.

🏢 Internal Only: MEDIUM - Requires user to visit malicious internal page or attacker to control internal web content.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit requires crafting malicious HTML/JavaScript but doesn't need authentication. Public bug report exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 80.0.3987.87 and later

Vendor Advisory: https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click menu → Help → About Google Chrome. 3. Chrome will automatically check for and install update. 4. Click Relaunch to restart Chrome.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution in Chrome

Use Site Isolation

all

Enables Chrome's Site Isolation feature to limit impact

🧯 If You Can't Patch

Restrict web browsing to trusted sites only
Use alternative browser temporarily

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in menu → Help → About Google Chrome. If version is below 80.0.3987.87, you're vulnerable.

Check Version:

google-chrome --version (Linux) or check Chrome settings on Windows/macOS

Verify Fix Applied:

Confirm Chrome version is 80.0.3987.87 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Unexpected process termination
Sandbox escape attempts

Network Indicators:

Requests to known malicious domains hosting exploit
Unusual outbound connections after visiting web page

SIEM Query:

source="chrome" AND (event="crash" OR event="process_termination")

📊 Metadata

CVE ID: CVE-2020-6404

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: February 11, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0514 Third Party Advisory
https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1024256 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4638 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0514 Third Party Advisory
https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1024256 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4638 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6404, you might also want to check these: