CVE-2020-16010 is yet another critical zero-day that Google recently patched. This time, affected is the Android version of the Chrome browser. The vulnerability is a heap buffer overflow in UI in Google Chrome on Android in versions prior to 86.0.4240.185.
What is CVE-2020-16010?
CVE-2020-16010 could allow a remote attacker who had compromised the renderer process to potentially perform a sandbox escape using a crafted HTML page.
Note that “Google is aware of reports that an exploit for CVE-2020-16010 exists in the wild.” In addition to the bug fix, the latest Chrome for Android release also includes stability and performance improvements.
Chrome users should update their installations immediately.
Not the first zero-day exploited this year
Earlier this month, security researchers disclosed information about CVE-2020-15999, another zero-day bug in Chrome which was actively exploited. This zero-day is a type of memory-corruption vulnerability, known as heap buffer overflow in FreeType, an open-source development library for rendering fonts included in standard Chrome distributions.
The flaw was discovered by Google Project Zero’s security researcher Sergei Glazunov on October 19. What is more, CVE-2020-15999 is the third zero-day exploited in attacks in the past year. CVE-2019-13720 was spotted in October 2019, and CVE-2020-6418 – in February 2020. CVE-2019-13720 was a use-after-free issue, related to memory corruption, whereas CVE-2020-6418 was a type confusion vulnerability.