PatchSiren

PatchSiren cyber security CVE debrief

CVE-2005-4900 Google CVE debrief

CVE-2005-4900 is a long-standing cryptographic weakness record for SHA-1 rather than a conventional software bug. The issue is that SHA-1 is not collision resistant, which can make certain spoofing attacks easier in contexts that rely on SHA-1 for integrity or identity, including the TLS 1.2 example cited in the CVE description. NVD classifies the weakness as CWE-326 and assigns a CVSS 3.0 score of 5.9 (Medium) with network attack, no privileges, no user interaction, and high attack complexity.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2016-10-14
Original CVE updated
2026-05-06
Advisory published
2016-10-14
Advisory updated
2026-05-06

Who should care

Security teams, PKI/certificate operators, and application owners that still rely on SHA-1 in TLS, signatures, or other collision-sensitive workflows should care most. Because NVD also maps this CVE to Google Chrome versions up to 47.0.2526.111, Chrome maintainers and environments pinned to older Chrome builds should review any SHA-1 dependencies and upgrade paths.

Technical summary

The core technical issue is SHA-1’s broken collision resistance. In collision-sensitive uses, an attacker who can create two inputs with the same digest may be able to spoof or substitute data in a way that preserves the hash value. The CVE description specifically notes attacks against SHA-1 use in TLS 1.2. NVD lists the weakness as CWE-326 and, for Chrome, identifies affected versions through 47.0.2526.111. The recorded CVSS vector is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N.

Defensive priority

Medium. This is important wherever SHA-1 is still part of trust decisions, but it is not a fresh exploit against a single product release; it is a broader cryptographic deprecation/transition issue with context-dependent impact.

Recommended defensive actions

  • Inventory all SHA-1 use in certificates, signatures, integrity checks, and protocol handshakes.
  • Replace SHA-1 with collision-resistant alternatives where policy and interoperability allow.
  • Review any TLS and PKI configurations that still accept or generate SHA-1-based artifacts.
  • Upgrade or retire older Chrome builds if your environment still depends on the affected version range listed by NVD.
  • Monitor vendor and standards guidance for SHA-1 deprecation and migration requirements.

Evidence notes

Primary facts come from the CVE/NVD record supplied in the corpus. The CVE description states that SHA-1 is not collision resistant and cites spoofing in TLS 1.2 as an example. NVD maps the weakness to CWE-326, assigns CVSS 3.0 5.9/Medium, and lists Google Chrome as vulnerable through version 47.0.2526.111. Supporting references in the record include shattered.io, Google’s SHA-1 security blog posts, and related third-party advisories. No exploit steps or unverified claims are included.

Official resources

CVE record published 2016-10-14T16:59:00.187Z and last modified 2026-05-06T22:30:45.220Z. Timing in this debrief is based on those CVE/NVD dates, not on generation time.