Login Sign Up

CVE-2020-6439

8.8 HIGH

📋 TL;DR

This vulnerability in Google Chrome allows attackers to bypass security user interface (UI) warnings and prompts by exploiting insufficient policy enforcement during navigations. Attackers can craft malicious HTML pages that trick users into unsafe actions without proper security warnings. All users running vulnerable Chrome versions are affected.

💻 Affected Systems

Products:
  • Google Chrome
Versions: All versions prior to 81.0.4044.92
Operating Systems: Windows, macOS, Linux, Chrome OS
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Chrome installations are vulnerable. Extensions or enterprise policies might provide some mitigation but don't fix the core vulnerability.

📦 What is this software?

Backports by Opensuse

View all CVEs affecting Backports →

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Leap by Opensuse

View all CVEs affecting Leap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass security warnings to execute arbitrary code, steal sensitive data, or perform unauthorized actions by tricking users into visiting malicious sites without proper security warnings.

🟠

Likely Case

Attackers craft phishing pages that bypass Chrome's security warnings, leading to credential theft, malware installation, or other social engineering attacks.

🟢

If Mitigated

With updated Chrome and proper user awareness, the risk is limited to users who still visit obviously malicious sites despite other security indicators.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (visiting a crafted HTML page) but doesn't require authentication. The bug report suggests relatively straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 81.0.4044.92

Vendor Advisory: https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click 'Relaunch' to restart Chrome with the fixed version.

🔧 Temporary Workarounds

Disable automatic navigation

all

Configure Chrome to require user confirmation for all navigations

chrome://flags/#disable-features=AutomaticTabDiscarding

Enable strict site isolation

all

Force site isolation for all sites to limit impact

chrome://flags/#enable-site-per-process

🧯 If You Can't Patch

  • Use alternative browsers until Chrome can be updated
  • Implement network filtering to block suspicious domains and restrict web navigation

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if version is less than 81.0.4044.92, the system is vulnerable.

Check Version:

google-chrome --version (Linux) or open chrome://version in browser

Verify Fix Applied:

Verify Chrome version is 81.0.4044.92 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual navigation patterns in Chrome logs
  • Multiple security warning bypass attempts

Network Indicators:

  • Traffic to domains hosting crafted HTML pages with unusual navigation patterns

SIEM Query:

source="chrome" AND (event="navigation" OR event="security_warning") AND status="bypassed"

📊 Metadata

CVE ID: CVE-2020-6439
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-276
Published: April 13, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6439, you might also want to check these:

CVE-2019-19896 9.9

This vulnerability allows remote attackers to execute arbitrary code with SYSTEM privileges on IXP E...

Same vulnerability type (CWE-276)
CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)