CVE-2020-6493 – This is a use-after-free vulnerability in Chrom... (How to Fix)

Q: What is the severity of CVE-2020-6493?

CVE-2020-6493 has a CVSS score of 9.6 (CRITICAL). This is a use-after-free vulnerability in Chrome's WebAuthentication API that allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. It affects Google Chrome versions prior to 83.0.4103.97. Users who visit malicious websites with vulnerable Chrome versions are at risk.

📋 TL;DR

This is a use-after-free vulnerability in Chrome's WebAuthentication API that allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. It affects Google Chrome versions prior to 83.0.4103.97. Users who visit malicious websites with vulnerable Chrome versions are at risk.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 83.0.4103.97

Operating Systems: Windows, Linux, macOS, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WebAuthentication API to be enabled (default in Chrome).

📦 What is this software?

Backports by Opensuse

View all CVEs affecting Backports →

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through sandbox escape, allowing attacker to execute arbitrary code with system privileges.

🟠

Likely Case

Privilege escalation from compromised renderer process to higher privilege processes, potentially leading to data theft or further system compromise.

🟢

If Mitigated

Limited to renderer process compromise only, preventing system-level access.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites, making internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Still exploitable via internal phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Requires renderer process compromise first, then sandbox escape. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 83.0.4103.97 and later

Vendor Advisory: https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click menu (three dots) → Help → About Google Chrome. 3. Chrome will automatically check for updates and install version 83.0.4103.97 or later. 4. Click Relaunch to restart Chrome.

🔧 Temporary Workarounds

Disable WebAuthentication API

all

Temporarily disable the vulnerable WebAuthentication API component

chrome://flags/#enable-webauth
Set to 'Disabled'

Use Chrome Enterprise policies

all

Configure Chrome Enterprise policies to restrict WebAuthentication usage

Configure 'WebAuthenticationRemoteProxiedRequestsAllowed' policy to false

🧯 If You Can't Patch

Use alternative browsers until Chrome can be updated
Implement strict web filtering to block malicious sites

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if below 83.0.4103.97, system is vulnerable.

Check Version:

chrome://version/ or 'google-chrome --version' (Linux), 'Get-AppxPackage -Name Google.Chrome' (Windows PowerShell)

Verify Fix Applied:

Confirm Chrome version is 83.0.4103.97 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with WebAuthentication-related stack traces
Unexpected renderer process termination

Network Indicators:

Connections to known malicious domains hosting exploit code
Unusual WebAuthentication API requests

SIEM Query:

source="chrome" AND (event="crash" OR event="process_termination") AND component="WebAuthentication"

📊 Metadata

CVE ID: CVE-2020-6493

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: June 3, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00034.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00038.html Third Party Advisory
https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1082105 Permissions Required
https://security.gentoo.org/glsa/202006-02 Third Party Advisory
https://www.debian.org/security/2020/dsa-4714 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00034.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00038.html Third Party Advisory
https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html Vendor Advisory
https://crbug.com/1082105 Permissions Required
https://security.gentoo.org/glsa/202006-02 Third Party Advisory
https://www.debian.org/security/2020/dsa-4714 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6493, you might also want to check these: