⚠️Chrome/Chromium zero-day RCE (CVE-2019-5786), actively exploited in the wild. Affected Versions: < 72.0.3626.121

Information is beginning to circulate regarding CVE-2019-5786, a use-after-free (UAF) vulnerability in Chrome's FileReader API. The Chrome security team has indicated that it is being actively exploited in the wild. Details are limited, but the vulnerability is believed to permit remote code execution (RCE).

Some news sources have conflated this with another, less severe issue spotted by EdgeSpot relating to PDF files. Both EdgeSpot and Google have indicated that the issues are unrelated.

CVE-2019-5786 has been patched in Chrome version 72.0.3626.121, currently available on the stable channel. Other Chromium-based browsers, such as Vivaldi, may or may not be affected.

(Severity: 🔸high)

Additional information:

- Announcement from Google: https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
- Chromium bug (not yet public): https://bugs.chromium.org/p/chromium/issues/detail?id=936448
- Tweet from a Chrome security engineer: https://twitter.com/justinschuh/status/1103087046661267456
- Patch: https://github.com/chromium/chromium/blob/ba9748e78ec7e9c0d594e7edf7b2c07ea2a90449/thirdparty/blink/renderer/platform/wtf/typedarrays/arraybufferbuilder.h#L63-L67
- Patch review: https://chromium-review.googlesource.com/c/1492873 and https://chromium-review.googlesource.com/c/1495209
- Technical explanation: https://news.ycombinator.com/item?id=19325083
- Sophos: https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/
- Forbes (conflates CVE-2019-5786 and the PDF issue reported by EdgeSpot): https://www.forbes.com/sites/daveywinder/2019/03/07/google-confirms-serious-chrome-security-problem-heres-how-to-fix-it/

#alert #severityHigh #vulnerability #browser #chrome #rce #uaf #CVE20195786