PatchSiren cyber security CVE debrief
CVE-2016-5197 Google CVE debrief
CVE-2016-5197 affects Google Chrome for Android’s content view client. The issue is an insufficient validation of intent URLs: if an attacker had already compromised the renderer process and delivered a crafted HTML page, they could trigger arbitrary activity launches on the device. NVD rates the issue HIGH with a CVSS 3.0 score of 8.8, reflecting network reachability, low attack complexity, and high impact, but with required user interaction.
- Vendor
- Product
- CVE-2016-5197
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-19
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-19
- Advisory updated
- 2026-05-13
Who should care
Android fleet administrators, mobile security teams, and organizations that manage or allow Chrome on Android devices should care most. End users running older Chrome for Android builds are also directly exposed until updated.
Technical summary
The published CVE description states that the Chrome for Android content view client insufficiently validated intent URLs. In practical terms, a malicious page could exploit this weakness after a renderer compromise to start arbitrary Android activities. NVD maps the weakness to CWE-20 and assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, so the risk is remote but gated by user interaction and an already-compromised renderer context.
Defensive priority
High. Prioritize patching managed Android Chrome installations and confirming that affected devices are running a fixed Chrome for Android release.
Recommended defensive actions
- Update Chrome for Android to the first fixed release referenced in the CVE description, and verify managed devices are no longer on the affected versions.
- Inventory Android devices and browser versions so you can identify any systems still in the vulnerable range.
- Treat any unexpected browser-to-app launches or activity transitions on managed Android devices as security-relevant events and review them promptly.
- Use standard Chrome and Android update controls to keep browser builds current across the fleet.
Evidence notes
Primary source evidence comes from the NVD CVE detail and the underlying NVD API record. The CVE description says the Chrome content view client in Google Chrome prior to 54.0.2840.85 for Android insufficiently validated intent URLs, allowing arbitrary activity launches after renderer compromise and crafted HTML. The NVD record classifies the weakness as CWE-20 and provides CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Vendor-linked references include the Chrome for Android update blog post, a Chromium bug (crbug.com/659477), and a SecurityFocus BID entry. Note: the source record contains a version-range inconsistency, because the description cites prior to 54.0.2840.85 while the CPE criteria list vulnerability through 54.0.2840.68.
Official resources
The CVE record was published on 2017-01-19, and the supplied source item was last modified on 2026-05-13. Vendor-linked remediation context is provided by the Chrome for Android update post dated 2016-10-31. This debrief uses the supplied N