What is Chrome's Site Isolation?
Chrome's renderer process executes web content in a sandboxed environment — compromising the renderer doesn't immediately give an attacker access to the operating system. Chrome's Site Isolation feature further separates content from different origins into separate processes, preventing compromised renderers from reading content from other sites (like banking portals or email). Sandbox escape vulnerabilities in Chrome's IPC or browser process code allow a compromised renderer to break out of the sandbox and execute code in the browser process, which runs with the user's full OS privileges. Use-after-free in Site Isolation's cross-process object management creates memory corruption in the browser process, enabling this escape.
Overview
CVE-2020-16017 is a use-after-free vulnerability (CWE-416) in Chrome's Site Isolation implementation. An attacker who has already compromised the renderer process (via a renderer vulnerability such as the companion CVE-2020-16013 V8 bug) can exploit this UAF to escape the Chrome sandbox and execute code in the browser process with the user's OS privileges. The Scope: Changed (S:C) in the CVSS vector reflects the browser-to-OS boundary crossing. Both CVE-2020-16017 and CVE-2020-16013 were patched as zero-days in Chrome 86.0.4240.198 (November 11, 2020) — confirmed as used in active exploitation chains.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome before 86.0.4240.198 | Yes | 86.0.4240.198 |
| Microsoft Edge (Chromium) before equivalent version | Yes | Apply corresponding Edge update |
Technical Details
- Root cause: Use-after-free (CWE-416) in Chrome's Site Isolation — the cross-process object management code in Site Isolation maintains references to objects in the browser process that represent renderer state; when a renderer is destroyed or objects are freed, if references are not properly invalidated, a compromised renderer can trigger access to freed browser process memory via IPC messages, causing UAF memory corruption
- Sandbox escape mechanism: The UAF in the browser process (which is not sandboxed) provides a memory corruption primitive in the higher-privilege browser process context; by controlling the data in the freed memory region (heap spray), the attacker redirects browser process execution to shellcode or ROP chains executing outside the renderer sandbox
- Renderer prerequisite: CVE-2020-16017 requires prior renderer compromise (PR:N refers to the lack of credentials for the initial web page visit; the full chain requires CVE-2020-16013 or similar for renderer code execution); used together, CVE-2020-16013 (V8 type confusion for renderer RCE) → CVE-2020-16017 (Site Isolation UAF for sandbox escape) forms a complete browser exploitation chain
- S:C CVSS impact: The Scope: Changed rating reflects the security boundary crossing — from the sandboxed renderer to the browser process; once outside the sandbox, C:H/I:H/A:H reflects full user-level OS access
- Zero-day exploitation: Both CVEs were confirmed as actively exploited before the patch — the attack chain was deployed against real targets before Google discovered and patched it
Discovery
Google's Threat Analysis Group discovered the exploitation of CVE-2020-16017 in conjunction with CVE-2020-16013 during active attack investigation. The November 11, 2020 emergency patch release confirms in-the-wild exploitation. The use of two Chrome zero-days simultaneously (renderer RCE + sandbox escape) indicates a sophisticated threat actor with access to browser exploit chains.
Exploitation Context
Chrome sandbox escape zero-days are among the most valuable browser vulnerability classes — they enable full user-level OS access from a single malicious web page visit. CVE-2020-16017's exploitation alongside CVE-2020-16013 in a complete chain suggests state-sponsored or highly resourceful threat actors targeting specific individuals. Complete browser exploit chains (renderer RCE + sandbox escape) are the standard attack pattern for drive-by browser compromises; the Chrome November 2020 zero-days represent a high-sophistication deployment of this pattern in targeted attacks.
Remediation
- Update Google Chrome to 86.0.4240.198 or later immediately — patches both CVE-2020-16017 (sandbox escape) and CVE-2020-16013 (renderer RCE) together
- Update Microsoft Edge to the equivalent Chromium 86-based version or later
- Enable automatic Chrome updates to ensure future zero-day patches are applied without delay
- Deploy Chrome's additional sandbox hardening: enable Hardware-accelerated GPU sandboxing and enforce process isolation policies via enterprise policy
- For high-risk environments: consider restricting Chrome extension permissions and using Chrome's Enhanced Protection mode (Safe Browsing) which provides real-time malicious URL protection
- Monitor for browser process crashes or unexpected child process behavior that may indicate failed exploitation attempts
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-16017 |
| Vendor / Product | Google — Chrome |
| NVD Published | 2021-01-08 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.6 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-11-11 | Chrome 86.0.4240.198 released, patching CVE-2020-16017 and CVE-2020-16013 as actively exploited zero-days |
| 2021-01-08 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome 86.0.4240.198 Stable Channel Update | Vendor Advisory |
| NVD — CVE-2020-16017 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |