CVE-2019-13720

HIGH KEV

Google Chrome <78.0.3904.87 - Use After Free

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-13720 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 23, 2022. EIP tracks 3 public exploits from researchers including Forrest Orr, bb33bb, cve-2019-13720.

AI-analyzed exploit summary This is a functional exploit for CVE-2019-13720, a use-after-free vulnerability in Google Chrome (versions 76-78). It leverages PartitionAlloc heap manipulation, WASM JIT memory corruption, and an egghunter shellcode to achieve remote code execution, bypassing DEP, ASLR, CFG, and CET.

Description

Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Exploits (3)

exploitdb WORKING POC
by Forrest Orr · javascriptremotemultiple
https://www.exploit-db.com/exploits/50917

This is a functional exploit for CVE-2019-13720, a use-after-free vulnerability in Google Chrome (versions 76-78). It leverages PartitionAlloc heap manipulation, WASM JIT memory corruption, and an egghunter shellcode to achieve remote code execution, bypassing DEP, ASLR, CFG, and CET.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Google Chrome 76.0.3809.132 - 78.0.3904.70
No auth needed
Prerequisites: Target running vulnerable Chrome version · Multi-core CPU (fails on single-core) · Chrome launched with '--no-sandbox' for full RCE
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 6 stars
by bb33bb · poc
https://github.com/bb33bb/CVE-2019-13720

The repository lacks actual exploit code and instead points to an external download (packetstorm) without providing technical details or analysis. The README is minimal and does not include any functional PoC or technical breakdown of CVE-2019-13720.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Chrome < 78.0.3904.70
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 3 stars
by cve-2019-13720 · poc
https://github.com/cve-2019-13720/cve-2019-13720

The repository contains no exploit code or technical details, only a README with a YouTube link and an email address. This appears to be a social engineering lure rather than a legitimate PoC.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Permissions Required x_refsource_misc
https://crbug.com/1019226
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00022.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202004-04

Scores

CVSS v3 8.8
EPSS 0.8959
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-05-23
VulnCheck KEV 2019-10-29
InTheWild.io 2019-10-29
ENISA EUVD EUVD-2019-5139
CWE
CWE-416
Status published
Products (2)
google/chrome < 78.0.3904.87
opensuse/leap 15.1
Published Nov 25, 2019
KEV Added May 23, 2022
Tracked Since Feb 18, 2026