A high-severity ‘use-after-free’ vulnerability tracked as CVE-2020-6492 with a CVSSv3 base score of 8.3 exists in WebGL [Web Graphics Library] component of the Google Chrome web browser that could be used to execute arbitrary code in the context of the browser process.
An attacker who tries to exploit these vulnerabilities can disclose sensitive information, bypass security restrictions, crash the application or even execute arbitrary code in the context of the browser by redirecting them to a specially crafted webpage.
The CVE-2020-6492 vulnerability was discovered by Cisco Talos’ research engineer Marcin Towalski. The vulnerability arises when a WebGL component fails to properly handle objects in memory. It specifically resides in ANGLE, a compatibility layer between OpenGL and Direct3D that Chrome browser uses on Windows systems.
For exploitation of the vulnerability, an attacker could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free flaw, which could ultimately lead to arbitrary code execution.
According to vulnerability advisory released by the researchers, the issue exists in a function of ANGLE, called “State::syncTextures” which is responsible for checking if the texture has any so-called DirtyBits. These are “bitsets” indicating if a specific state value, associated with a block of computer memory, has been changed.
An attacker could use a function called “drawArraysInstanced” to execute vulnerable code. When the syncTextures object tries to syncState through ‘Texture::syncState‘ function it creates a use after free condition. Thus, leading to cause a program to crash or can potentially result in the execution of arbitrary code.
Google Chrome versions 85.0.4183.83 and prior.
This vulnerability could allow a remote attacker to execute arbitrary code on the affected systems.
The CVE-2020-6492 was expected to be fixed in the latest Chrome 85 release but according to the Chrome release updates, we could not confirm if the vulnerability was addressed.