PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5196 Google CVE debrief

CVE-2016-5196 is a high-severity Chrome for Android issue where the content renderer client did not sufficiently enforce the Same Origin Policy for downloaded files. A remote attacker could use a crafted HTML page to access downloaded files and interact with sites where the user was already logged in, with user interaction required. The CVE was published by NVD on 2017-01-19.

Vendor
Google
Product
CVE-2016-5196
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Android users running affected Chrome builds, mobile security teams, IT admins managing Android fleets, and web application teams that rely on authenticated browser sessions and download handling.

Technical summary

The weakness affects the Chrome content renderer client on Android and is described as insufficient enforcement of the Same Origin Policy among downloaded files. According to the supplied CVE data, a remote attacker could entice a user to visit a crafted HTML page and then access downloaded files or interact with logged-in sites. NVD rates the issue CVSS 3.0 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps it to CWE-254. The supplied sources also show an affected Chrome for Android version range and a Google Chrome for Android update reference.

Defensive priority

High. The issue is remotely reachable, requires no privileges, and can expose local downloads and authenticated browser sessions after user interaction.

Recommended defensive actions

  • Update Chrome for Android to a version newer than the affected release range referenced in the vendor and NVD records.
  • Use fleet compliance checks to confirm devices are not running vulnerable Chrome for Android builds.
  • Treat unexpected HTML or link-driven browser prompts with caution, especially on managed or shared Android devices.
  • Review account activity for signs of unauthorized browser-session use if a device may have opened untrusted content.
  • Keep browser auto-update enabled and enforce timely patching through mobile device management where available.

Evidence notes

The CVE was published in the NVD record on 2017-01-19 and last modified on 2026-05-13 in the supplied data. The description says Chrome for Android versions prior to 54.0.2840.85 were affected, while the NVD CPE criteria list vulnerability through 54.0.2840.68; this debrief preserves both source statements rather than resolving the discrepancy. Google-linked references in the record include a Chrome for Android update post and Chromium issue 659492, and NVD also cites a SecurityFocus BID reference.

Official resources

Publicly disclosed through the CVE/NVD record and Google-referenced Chrome for Android update materials. No Known Exploited Vulnerabilities (KEV) entry is included in the supplied data.