CVE-2020-16040

MEDIUM EXPLOITED

Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase

Title source: metasploit

Exploitation Summary

CVE-2020-16040 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including r4j0x00, Rajvardhan Agarwal (r4j), including a Metasploit module exploits/multi/browser/chrome_simplifiedlowering_overflow.

AI-analyzed exploit summary This exploit leverages a heap corruption vulnerability in Google Chrome's V8 engine (CVE-2020-16040) to achieve remote code execution. It uses WebAssembly and crafted JavaScript to manipulate memory, achieve arbitrary read/write, and execute shellcode on a RWX page.

Description

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Exploits (3)

exploitdb WORKING POC

by r4j0x00 · javascriptremotemultiple

https://www.exploit-db.com/exploits/49745

View Code ZIP pw:eip

This exploit leverages a heap corruption vulnerability in Google Chrome's V8 engine (CVE-2020-16040) to achieve remote code execution. It uses WebAssembly and crafted JavaScript to manipulate memory, achieve arbitrary read/write, and execute shellcode on a RWX page.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome < 87.0.4280.88

No auth needed

Prerequisites: Victim must visit a crafted HTML page

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb NO CODE

client-side

https://github.com/maldev866/ChExp_CVE_2020_16040

View Code ZIP pw:eip

metasploit WORKING POC MANUAL

by Rajvardhan Agarwal (r4j) · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome_simplifiedlowering_overflow.rb

View Code ZIP pw:eip

This exploit leverages an integer overflow in Google Chrome's SimplifiedLowering phase to achieve arbitrary read/write in the isolate region, followed by RWX memory allocation via WebAssembly to execute shellcode. It requires the browser to be run with --no-sandbox for full payload execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome versions before 87.0.4280.88 (64-bit)

No auth needed

Prerequisites: Target must visit a malicious webpage · Browser must be run with --no-sandbox for full payload execution

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html

Issue Tracking, Patch, Vendor Advisory x_refsource_misc

https://crbug.com/1150649

Broken Link x_refsource_misc

http://packetstormsecurity.com/files/162087/Google-Chrome-86.0.4240-V8-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/162106/Google-Chrome-86.0.4240-V8-Remote-Code-Execution.html

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/162144/Google-Chrome-SimplfiedLowering-Integer-Overflow.html

Scores

CVSS v3 6.5

EPSS 0.7407

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

VulnCheck KEV 2026-01-26

CWE

CWE-190 CWE-20 CWE-787

Status published

Products (1)

google/chrome < 87.0.4280.88

Published Jan 08, 2021

Tracked Since Feb 18, 2026