CVE-2019-5825

MEDIUM KEV

Google Chrome < 73.0.3683.86 - Out-of-bounds Write via JavaScript Array.map

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-5825 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2022. EIP tracks 3 public exploits from researchers including Metasploit, timwr, dmxcsnsbh, István Kurucsai, timwr, including a Metasploit module exploits/multi/browser/chrome_array_map.

AI-analyzed exploit summary This Metasploit module exploits a memory corruption vulnerability in Chrome 72/73 via Array.map to achieve arbitrary read/write, then uses WebAssembly for RWX memory allocation and payload execution. It requires the browser to run with --no-sandbox for full impact.

Description

Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/48183

This Metasploit module exploits a memory corruption vulnerability in Chrome 72/73 via Array.map to achieve arbitrary read/write, then uses WebAssembly for RWX memory allocation and payload execution. It requires the browser to run with --no-sandbox for full impact.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome 72.0.3683.86 (64-bit) and 73.0.3683.86 (64-bit)
No auth needed
Prerequisites: Browser must be run with --no-sandbox flag · Target must visit attacker-controlled page
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 8 stars
by timwr · client-side
https://github.com/timwr/CVE-2019-5825

This repository contains a functional exploit for CVE-2019-5825, targeting a vulnerability in Chrome 73.0.3683.86 (V8 6.9.0). The exploit leverages a type confusion bug to achieve arbitrary read/write (AARW) and executes shellcode via WebAssembly for remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome 73.0.3683.86 (V8 6.9.0)
No auth needed
Prerequisites: Chrome 73.0.3683.86 with --no-sandbox flag
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by dmxcsnsbh, István Kurucsai, timwr · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome_array_map.rb

This Metasploit module exploits a memory corruption vulnerability in Google Chrome 72/73 (CVE-2019-5825) by corrupting the length of a float array to achieve arbitrary read/write, then uses WebAssembly to execute shellcode in RWX memory. The exploit requires the browser to be run with --no-sandbox for full impact.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome 73.0.3683.86 (64-bit)
No auth needed
Prerequisites: Target must visit a malicious page · Browser must be run with --no-sandbox
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://crbug.com/941743
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/156641/Google-Chrome-72-73-Array.map-Corruption.html

Scores

CVSS v3 6.5
EPSS 0.7825
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2022-06-08
VulnCheck KEV 2019-09-24
InTheWild.io 2022-06-08
ENISA EUVD EUVD-2019-15396
CWE
CWE-787
Status published
Products (1)
google/chrome < 73.0.3683.86
Published Nov 25, 2019
KEV Added Jun 08, 2022
Tracked Since Feb 18, 2026