CVE-2019-13720 is a new vulnerability in Chrome. Google is warning users that this use-after-free vulnerability in the browser’s audio component is currently being exploited in the wild.
CVE-2019-13720: some details
CVE-2019-13720 was discovered by Kaspersky security researchers Anton Ivanov and Alexey Kulaev
The vulnerability is highly severe, and is putting users at risk of attacks. Users are urged to update to latest version of Chrome, 78.0.3904.87, which will be rolling out in the upcoming days.
A successful exploit of the vulnerability could allow the attacker take control of the vulnerable system.
As already mention, the flaw is described as an use-after-free issue. Use-after-free vulnerabilities are in fact related to memory corruption. In these attacks, hackers are making attempts to access memory after it has been freed. This could lead to various malicious scenarios, such as crashing a program or even performing arbitrary code execution attacks.
Google is aware of the issue and that an exploit of the bug exists in the wild. “The stable channel has been updated to 78.0.3904.87 for Windows, Mac, and Linux, which will roll out over the coming days/weeks,” Google said.
CVE-2019-13721 – another user-after-free bug fixed by Google
This is not the only vulnerability Google disclosed in the past few days. Another high-severity bug is CVE-2019-13721, which resides in PDFium. PDFium was developed by Foxit and Google, and is a PDF generation and rendering library.
CVE-2019-13721 is also of the use-after-free type but fortunately, there is no evidence of the bug being exploited in the wild. The bug was reported by a researcher known as “banananapenguin” who received a $7500 bounty via Google’s vulnerability disclosure program.
Google also noted that “access to bug details and links may be kept restricted until a majority of users are updated with a fix”.