CVE-2020-6418

HIGH KEV

Google Chrome <80.0.3987.122 - Heap Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-6418 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 6 public exploits from researchers including Metasploit, Goyotan, ulexec, including a Metasploit module exploits/multi/browser/chrome_jscreate_sideeffect.

AI-analyzed exploit summary This Metasploit module exploits a type confusion vulnerability in Google Chrome 80.0.3987.87 (64-bit) via JSCreate side-effects, enabling out-of-bounds memory access and arbitrary read/write primitives. It leverages WebAssembly for RWX memory allocation and executes shellcode within the sandboxed renderer process.

Description

Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/48186

This Metasploit module exploits a type confusion vulnerability in Google Chrome 80.0.3987.87 (64-bit) via JSCreate side-effects, enabling out-of-bounds memory access and arbitrary read/write primitives. It leverages WebAssembly for RWX memory allocation and executes shellcode within the sandboxed renderer process.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome 80.0.3987.87 (64-bit)
No auth needed
Prerequisites: Target must be running Google Chrome 80.0.3987.87 (64-bit) · Browser must be run with --no-sandbox option for payload execution
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by Goyotan · client-side
https://github.com/Goyotan/CVE-2020-6418-PoC

This repository contains a functional exploit PoC for CVE-2020-6418, a type confusion vulnerability in V8 (Chrome's JavaScript engine). The exploit leverages a race condition to achieve out-of-bounds (OOB) memory access, leading to arbitrary read/write primitives and ultimately remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Chrome V8 (8.0.426.23)
No auth needed
Prerequisites: Specific V8 version (8.0.426.23) · Ubuntu 18.04 LTS environment · Chrome with V8 flags enabled (e.g., --allow-natives-syntax)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by ulexec · client-side
https://github.com/ulexec/ChromeSHELFLoader

This repository contains a functional exploit for CVE-2020-6418, a type confusion vulnerability in Chrome's V8 JavaScript engine. The provided JavaScript code implements an ELF loader to resolve symbols and relocations, which is a critical component for exploiting the vulnerability to achieve remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome (V8 JavaScript engine)
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a crafted HTML file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by SivaPriyaRanganatha · poc
https://github.com/SivaPriyaRanganatha/CVE-2020-6418

The repository provides a detailed technical analysis of CVE-2020-6418, a type confusion vulnerability in Google Chrome's V8 engine, including patch analysis and exploitation steps using Metasploit. It lacks actual exploit code but offers in-depth guidance on setup and execution.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Google Chrome prior to 80.0.3987.122
No auth needed
Prerequisites: Google Chrome with sandbox disabled · Metasploit Framework · Target system running vulnerable Chrome version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Clément Lecigne, István Kurucsai, Vignesh S Rao, timwr · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome_jscreate_sideeffect.rb

This exploit leverages a type confusion vulnerability in Google Chrome 80.0.3987.87 to achieve arbitrary read/write primitives, ultimately executing shellcode in the sandboxed renderer process. It requires the browser to be run with the --no-sandbox option for full exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Google Chrome 80.0.3987.87 (64-bit)
No auth needed
Prerequisites: Google Chrome 80.0.3987.87 (64-bit) · --no-sandbox flag
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://crbug.com/1053604
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0738
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4638
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202003-08

Scores

CVSS v3 8.8
EPSS 0.8637
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-02-18
InTheWild.io 2020-02-18
ENISA EUVD EUVD-2020-27568
CWE
CWE-843
Status published
Products (8)
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 30
fedoraproject/fedora 31
google/chrome < 80.0.3987.122
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_server 6.0
redhat/enterprise_linux_workstation 6.0
Published Feb 27, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026