CVE-2020-6406 – CVE-2020-6406 is a use-after-free vulnerability... (How to Fix)

Q: What is the severity of CVE-2020-6406?

CVE-2020-6406 has a CVSS score of 8.8 (HIGH). CVE-2020-6406 is a use-after-free vulnerability in Chrome's audio component that allows remote attackers to potentially exploit heap corruption via crafted HTML pages. This could lead to arbitrary code execution or browser crashes. All users of Google Chrome prior to version 80.0.3987.87 are affected.

📋 TL;DR

CVE-2020-6406 is a use-after-free vulnerability in Chrome's audio component that allows remote attackers to potentially exploit heap corruption via crafted HTML pages. This could lead to arbitrary code execution or browser crashes. All users of Google Chrome prior to version 80.0.3987.87 are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 80.0.3987.87

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome configurations are vulnerable. Chromium-based browsers may also be affected depending on their codebase.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the Chrome process, potentially leading to full system compromise if Chrome is running with elevated privileges.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within Chrome's sandbox, potentially allowing data theft or further exploitation.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Attackers can exploit via malicious websites without user interaction beyond visiting the site.

🏢 Internal Only: MEDIUM - Requires user to visit malicious internal pages, but could be exploited via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires bypassing Chrome's sandbox and other security mitigations, but proof-of-concept code exists in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 80.0.3987.87 and later

Vendor Advisory: https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome and click the three-dot menu. 2. Go to Help > About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the updated version.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious JavaScript that could trigger the vulnerability

chrome://settings/content/javascript

Use Site Isolation

all

Enables site isolation to limit impact of potential exploits

chrome://flags/#enable-site-per-process

🧯 If You Can't Patch

Restrict access to untrusted websites using web filtering or proxy controls
Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check Chrome version by navigating to chrome://version and comparing to 80.0.3987.87

Check Version:

chrome://version

Verify Fix Applied:

Confirm Chrome version is 80.0.3987.87 or higher in chrome://version

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Unexpected process terminations
Memory access violation errors

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual outbound connections from Chrome processes

SIEM Query:

process_name:"chrome.exe" AND (event_id:1000 OR event_id:1001) OR http_user_agent:"Chrome/79.*"

📊 Metadata

CVE ID: CVE-2020-6406

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 11, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0514 Third Party Advisory
https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1042254 Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4638 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0514 Third Party Advisory
https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1042254 Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
https://security.gentoo.org/glsa/202003-08 Third Party Advisory
https://www.debian.org/security/2020/dsa-4638 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6406, you might also want to check these: