CVE-2019-5786

MEDIUM KEV

Google Chrome < 72.0.3626.121 - Use-After-Free in Blink via Crafted HTML Page

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-5786 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 23, 2022. EIP tracks 3 public exploits from researchers including Metasploit, exodusintel, Clement Lecigne, István Kurucsai, timwr, including a Metasploit module exploits/windows/browser/chrome_filereader_uaf.

AI-analyzed exploit summary This exploit leverages a use-after-free vulnerability in Chrome 72.0.3626.119 on Windows 7 x86 via the FileReader.readAsArrayBuffer function to achieve arbitrary memory access and execute shellcode within a WebAssembly object. It requires the Chrome sandbox to be disabled for successful payload execution.

Description

Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows_x86
https://www.exploit-db.com/exploits/46812

This exploit leverages a use-after-free vulnerability in Chrome 72.0.3626.119 on Windows 7 x86 via the FileReader.readAsArrayBuffer function to achieve arbitrary memory access and execute shellcode within a WebAssembly object. It requires the Chrome sandbox to be disabled for successful payload execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome 72.0.3626.119 on Windows 7 x86
No auth needed
Prerequisites: Chrome 72.0.3626.119 on Windows 7 x86 · Chrome sandbox disabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 256 stars
by exodusintel · client-side
https://github.com/exodusintel/CVE-2019-5786

This is a functional exploit for CVE-2019-5786, a Chrome FileReader UaF vulnerability. It leverages site isolation and heap spraying to achieve arbitrary read/write primitives, leading to RCE via shellcode execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Google Chrome 72.0.3626.119 on Windows 7 x86
No auth needed
Prerequisites: Chrome with --no-sandbox flag · Hosted exploit files on separate domains · Windows 7 x86 target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Clement Lecigne, István Kurucsai, timwr · rubypocwindows
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/chrome_filereader_uaf.rb

This Metasploit module exploits a use-after-free (UaF) vulnerability in Chrome 72.0.3626.119 on Windows 7 x86 via the FileReader.readAsArrayBuffer function. It leverages heap spraying and arbitrary memory access to execute shellcode within a WebAssembly object, bypassing Chrome's sandbox (if disabled).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Google Chrome 72.0.3626.119 on Windows 7 x86
No auth needed
Prerequisites: Chrome 72.0.3626.119 on Windows 7 x86 · Sandbox disabled for payload execution
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Issue Tracking x_refsource_misc
https://crbug.com/936448

Scores

CVSS v3 6.5
EPSS 0.8994
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2022-05-23
VulnCheck KEV 2019-02-27
InTheWild.io 2019-02-27
ENISA EUVD EUVD-2020-0957
CWE
CWE-416
Status published
Products (2)
google/chrome < 72.0.3626.121
npm/puppeteer 0 - 1.13.0npm
Published Jun 27, 2019
KEV Added May 23, 2022
Tracked Since Feb 18, 2026