HighCISA KEVExploited in the wildPublic exploit

Heap corruption in Google Chrome V8 via crafted HTML page

IdentifiersCVE-2020-16009CWE-787· Out-of-bounds Write

CVE-2020-16009 is a vulnerability in the V8 JavaScript engine used by Google Chrome and Chrome for Android prior to 86.0.4240.183. The issue is described by Google as an inappropriate implementation in V8 that allows a remote attacker to potentially trigger heap corruption by convincing a target to render a crafted HTML page. Supporting context further characterizes it as a V8 programming flaw that can enable remote code execution. The vulnerable condition is reached through malicious web content processed by the browser, resulting in memory corruption in the renderer context.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause heap corruption in the browser process handling the malicious page and may enable remote code execution. At minimum, this is a memory-corruption issue with potential for process compromise and browser-context data exposure. The provided context also states the vulnerability was exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

Until patches are deployed, reduce exposure to attacker-controlled web content. Prevent or restrict rendering of untrusted HTML, especially in embedded Chromium/CefSharp contexts; enforce allowlisting of trusted origins where feasible; limit risky browsing/navigation paths; and apply vendor browser updates as soon as available. Because exploitation is triggered via crafted web content, user exposure to malicious or compromised sites should be minimized.

Remediation

Patch, then assume compromise.

Upgrade Google Chrome and Chrome for Android to version 86.0.4240.183 or later. For affected Chromium-based products, apply the corresponding vendor updates. In embedded Chromium distributions referenced in the advisory context, upgrade affected CefSharp NuGet packages to 86.0.241 or later.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CefsharpCefsharpapplication

CefsharpCefsharp.Commonapplication

CefsharpCefsharp.Winformsapplication

CefsharpCefsharp.Wpfapplication

CefsharpCefsharp.Wpf.Hwndhostapplication

DebianDebian Linuxoperating_system

Fedora ProjectFedoraoperating_system

GoogleChromeapplication

Microsoft CorporationEdgeapplication

Microsoft CorporationEdge Chromiumapplication

OpensuseBackports Sleapplication

OpensuseLeapoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

zeropath blogNews

Apr 15, 2026

Brief Summary: Google Chrome CVE-2026-6307 Turbofan Type Confusion Enabling Sandboxed Code Execution - ZeroPath Blog | ZeroPath

A prior Chrome Turbofan type confusion vulnerability referenced for historical comparison with similar root cause patterns in V8 JIT compilation.

kyberturvallisuuskeskus infosecNews

Nov 4, 2020

Google julkaisi korjaavia päivityksiä Chrome-selainten kriittisiin haavoittuvuuksiin | Kyberturvallisuuskeskus

A critical V8 programming flaw in Chrome and Chrome for Android that allows remote code execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-16009

NVD

nvd.nist.gov/vuln/detail/CVE-2020-16009

MITRE CWE · CWE-787

Out-of-bounds Write

Vendor Advisory

chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html

Third Party Advisory

packetstormsecurity.com/files/159974/Chrome-V8-Turbofan-Type-Confusion.html

Third Party Advisory

security.gentoo.org/glsa/202011-12

Third Party Advisory

debian.org/security/2021/dsa-4824

Exploit

crbug.com/1143772

Release Notes

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S4XYJ7B6OXHZNYSA5J3DBUOFEC6WCAGW

Release Notes

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SC3U3H6AISVZB5PLZLLNF4HMQ4UFFL7M

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16009