CVE-2019-5786

Google Chrome Blink Use-After-Free Vulnerability

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Attend

*SSVC

Descriptions

Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

El problema de la vida útil del objeto en Blink en Google Chrome antes del 72.0.3626.121 permitió que un atacante remoto pudiera realizar un acceso a la memoria fuera de límites a través de una página HTML diseñada.

Clement Lecigne discovered a use-after-free issue in chromium's file reader implementation. A maliciously crafted file could be used to remotely execute arbitrary code because of this problem.

Google Chrome Blink contains a heap use-after-free vulnerability that allows an attacker to potentially perform out of bounds memory access via a crafted HTML page.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Active

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2019-01-09 CVE Reserved
2019-03-11 CVE Published
2019-03-21 First Exploit
2022-05-23 Exploited in Wild
2022-06-13 KEV Due Date
2025-02-11 CVE Updated
2025-06-04 EPSS Updated

CWE

CWE-416: Use After Free

CAPEC

References (10)

URL	Tag	Source
https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786
https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html

URL	Date	SRC
https://packetstorm.news/files/id/152772	2019-05-08
https://www.exploit-db.com/exploits/46812	2019-05-08
https://github.com/exodusintel/CVE-2019-5786	2019-03-21
https://crbug.com/936448	2025-02-11

URL	Date	SRC

URL	Date	SRC
https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html	2024-07-02
https://access.redhat.com/security/cve/CVE-2019-5786	2019-03-11
https://bugzilla.redhat.com/show_bug.cgi?id=1685162	2019-03-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Chrome Search vendor "Google" for product "Chrome"				< 72.0.3626.121 Search vendor "Google" for product "Chrome" and version " < 72.0.3626.121"		-		Affected