CVE-2020-6427: 
Node.js vulnerability analysis and mitigation

CVE-2020-6427 is a use-after-free vulnerability discovered in the audio component of Google Chrome versions prior to 80.0.3987.149. The vulnerability was discovered by Man Yue Mo of GitHub Security Lab and was disclosed in February 2020 (GitHub Security Lab, Chrome Release).

The vulnerability exists in the IIRFilterHandler::Process method of Chrome's audio component. When an infinite output is encountered, the IIRFilterHandler::NotifyBadState method is posted to the main thread. Since Context is an UntracedMember, it can be removed while the NotifyBadState method is waiting in the main queue, leading to use-after-free and potential heap corruption. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

A remote attacker could potentially exploit heap corruption by crafting a malicious HTML page that triggers the vulnerability. This could lead to arbitrary code execution with the privileges of the Chrome process (Gentoo Security).

The vulnerability was patched in Chrome version 80.0.3987.149. Users and administrators should upgrade to this version or later to mitigate the risk. Multiple Linux distributions have also released security updates including Debian, Fedora, and Gentoo (Debian Security, Fedora Update).