CVE-2020-6514

Exploitation Summary

EIP tracks 4 public exploits for CVE-2020-6514. PoCs published by hasan-khalil.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2020-6514, targeting WebRTC implementations in applications like Duo, JioChat, VK, OK, and Signal. The exploit leverages memory corruption in the SCTP/SRTP handling to achieve remote code execution (RCE) by manipulating vtables and function pointers.

Description

Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to potentially exploit heap corruption via a crafted SCTP stream.

Exploits (4)

nomisec WORKING POC 2 stars

by hasan-khalil · poc

https://github.com/hasan-khalil/CVE-2020-6514

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2020-6514, targeting WebRTC implementations in applications like Duo, JioChat, VK, OK, and Signal. The exploit leverages memory corruption in the SCTP/SRTP handling to achieve remote code execution (RCE) by manipulating vtables and function pointers.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: WebRTC-based applications (e.g., Duo, JioChat, VK, OK, Signal)

No auth needed

Prerequisites: Target must be using vulnerable WebRTC implementation · Attacker must establish a WebRTC connection with the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/rojhack/cve-2020-6514

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2020-6514, targeting WebRTC implementations in applications like Duo, JioChat, VK, OK, and Signal. The exploit leverages memory corruption in the SCTP/SRTP handling to achieve remote code execution (RCE) by manipulating vtables and heap structures.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: WebRTC implementations (libringrtc_rffi.so, usrsctp, etc.)

No auth needed

Prerequisites: Target must initiate a WebRTC call · Exploit must be injected into the call flow

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/r0jhack/cve-2020-6514

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2020-6514, targeting WebRTC implementations in applications like Duo, JioChat, VK, OK, and Signal. The exploit leverages memory corruption in the SCTP/SRTP handling to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: WebRTC implementations (libringrtc_rffi.so)

No auth needed

Prerequisites: Target must initiate a WebRTC call · Exploit must be injected into the WebRTC session

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/hassanazze/cve-2020-6514

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2020-6514, targeting WebRTC implementations in multiple applications (Duo, JioChat, VK, OK, Signal). The exploit leverages memory corruption in the SCTP/SRTP handling to achieve remote code execution (RCE) by manipulating vtables and exploiting predictable PRNG states.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: WebRTC-based applications (Duo, JioChat, VK, OK, Signal)

No auth needed

Prerequisites: Target must initiate a WebRTC call · Exploit requires precise memory manipulation and timing

MITRE ATT&CK