CVE-2019-5786
MEDIUM6.5⚠ KEVEPSS 89.9%Use-After-Free in puppeteer
Published: 9/2/2020Modified: 4/28/2026Added to CISA KEV: 5/23/2022
Description
Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
Affected packages (3)
- Debian/chromiumfrom 0, < 72.0.3626.121-1
- Debian/chromiumfrom 0, < 72.0.3626.122-1~deb9u1
- npm/puppeteerfrom 0, < 1.13.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-5786
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-5786
- PATCHhttps://github.com/GoogleChrome/puppeteer
- WEBhttps://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation
- WEBhttps://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
- WEBhttps://crbug.com/936448
- WEBhttps://github.com/GoogleChrome/puppeteer/issues/4141
- WEBhttps://snyk.io/vuln/SNYK-JS-PUPPETEER-174321
- WEBhttps://www.npmjs.com/advisories/824