CVE-2020-15999

What is FreeType in Chrome?

FreeType is an open-source font rendering library used by Chrome (and many other applications) to render text. Chrome's renderer process uses FreeType to process font files embedded in web pages or referenced by web content. Fonts can contain embedded images (PNG or bitmap glyphs) in addition to vector outlines — the Load_SBit_Png function in FreeType processes PNG images embedded within font files. When a web page references a crafted font file containing a malformed PNG glyph, Chrome's renderer calls FreeType to render the font, triggering the vulnerability. Because Chrome's renderer process is sandboxed, FreeType exploitation achieves code execution within the renderer sandbox — which must then be combined with a sandbox escape to affect the host OS.

Overview

CVE-2020-15999 is a heap buffer overflow (CWE-787) in the FreeType library as used in Google Chrome, specifically in the Load_SBit_Png function when processing PNG images embedded in font files. A specially crafted font with a malicious PNG glyph causes FreeType to overflow a heap buffer, corrupting adjacent memory in Chrome's renderer process. Discovered as a zero-day by Sergei Glazunov (Google Project Zero) while it was being actively exploited, Chrome 86.0.4240.111 was emergency-patched on October 20, 2020. The exploit was used in chains: CVE-2020-15999 (renderer RCE) → CVE-2020-17087 (Windows kernel pool corruption for OS escalation) on Windows, and CVE-2020-15999 → CVE-2020-16010 (Chrome Android sandbox escape) on Android.

Affected Versions

Technical Details

• Root cause: Heap buffer overflow (CWE-787) in FreeType's Load_SBit_Png function — when a font file contains a PNG image glyph (used for emoji or color fonts), FreeType parses the PNG header to determine the image's width and height, then allocates a buffer based on those dimensions; a crafted PNG glyph can specify smaller dimensions in the PNG header than the actual PNG data, causing Load_SBit_Png to allocate an undersized buffer and overflow it when writing the full image data
• Renderer heap corruption: The buffer overflow occurs in Chrome's renderer process heap; by carefully crafting the font's PNG data, the attacker corrupts adjacent heap metadata or objects in a controlled way, achieving a write-what-where condition for renderer code execution via heap exploitation techniques
• Scope: Changed (S:C): The renderer is sandboxed; S:C reflects that exploitation crosses the same-origin policy boundary within the renderer (affecting cross-origin content through font rendering) rather than the OS boundary; full OS impact requires chaining with a sandbox escape
• CVE-2020-17087 chain (Windows): FreeType renderer RCE (CVE-2020-15999) → Windows kernel pool corruption via cng.sys (CVE-2020-17087) → local privilege escalation to SYSTEM; together this provides a complete browser-to-OS chain on Windows
• CVE-2020-16010 chain (Android): FreeType renderer RCE (CVE-2020-15999) → Chrome Android UI heap overflow sandbox escape (CVE-2020-16010) → full device compromise; both patched simultaneously in November 2020

Discovery

Discovered by Sergei Glazunov of Google's Project Zero team during analysis of an active exploitation campaign. The zero-day was observed being used in targeted attacks before discovery. Google issued an emergency patch within one day of discovery, the fastest possible response timeline for a Chrome release. Project Zero publicly disclosed the FreeType bug details and credited the discovery.

Exploitation Context

CVE-2020-15999 represents the sophistication of 2020-era browser exploitation — it chains a third-party library bug (FreeType) within the browser with OS-level privilege escalation bugs to achieve full system compromise from a single web page visit. The simultaneous exploitation on both Windows (with CVE-2020-17087) and Android (with CVE-2020-16010) indicates the threat actor had platform-specific follow-on exploits prepared for multiple targets. Font processing as an attack surface is notable: fonts are processed before any user interaction with page content, making delivery via any web page (including compromised legitimate sites) sufficient.

Remediation

1. Update Google Chrome to 86.0.4240.111 or later — patches the FreeType vulnerability in Chrome's renderer
2. Update FreeType to 2.10.4 or later in all other applications that use FreeType for font rendering (Linux desktop applications, PDF readers, image processors)
3. Update Windows systems with the November 2020 Patch Tuesday update patching CVE-2020-17087 (the companion Windows kernel escalation) to break the complete chain
4. Update Android Chrome to patch CVE-2020-16010 (the Android sandbox escape companion)
5. Enable Chrome's Site Isolation in enterprise policy to limit the impact of renderer compromises even if other zero-days are exploited
6. Deploy browser-level content security policies that restrict font loading to trusted sources where feasible