CVE-2019-5782

HIGH EXPLOITED IN THE WILD

Google Chrome < 72.0.3626.81 - Remote Code Execution via V8 Optimization Assumptions

Title source: llm

Exploitation Summary

CVE-2019-5782 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including edxsh.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-5782 and CVE-2019-13768, targeting Chrome 71.0.3578.98 on Windows. The exploit leverages memory corruption and ROP gadgets to achieve remote code execution, with modifications to improve reliability on newer Windows versions.

Description

Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Exploits (2)

nomisec WORKING POC 22 stars

by edxsh · poc

https://github.com/edxsh/CVE-2019-5782_CVE-2019-13768

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-5782 and CVE-2019-13768, targeting Chrome 71.0.3578.98 on Windows. The exploit leverages memory corruption and ROP gadgets to achieve remote code execution, with modifications to improve reliability on newer Windows versions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome 71.0.3578.98

No auth needed

Prerequisites: Target running Chrome 71.0.3578.98 on Windows 10 1909+ · Network access to the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/zwcreatephoton/cve-2019-5782_cve-2019-13768

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-5782, targeting Chrome 71.0.3578.98 on Windows. It leverages memory corruption via a use-after-free vulnerability in the FileReader API, combined with ROP gadgets to achieve remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome 71.0.3578.98

No auth needed

Prerequisites: Chrome 71.0.3578.98 on Windows 10 1909+ · Python 2.7 with CherryPy for serving the exploit

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (7)

Core 7

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106767

Issue Tracking x_refsource_misc

https://crbug.com/906043

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:0309

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4395

Release Notes, Vendor Advisory x_refsource_confirm

https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQOP53LXXPRGD4N5OBKGQTSMFXT32LF6/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JVFHYCJGMZQUKYSIE2BXE4NLEGFGUXU5/

Scores

CVSS v3 8.8

EPSS 0.7483

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-02-02

InTheWild.io 2020-10-19

CWE

CWE-125 CWE-787

Status published

Products (7)

debian/debian_linux 9.0

fedoraproject/fedora 29

fedoraproject/fedora 30

google/chrome < 72.0.3626.81

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_workstation 6.0

Published Feb 19, 2019

Tracked Since Feb 18, 2026