PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5199 Google CVE debrief

CVE-2016-5199 is a high-severity Chrome vulnerability tied to FFmpeg handling of crafted video content. According to the published description, an off-by-one error could cause a zero-size allocation and potentially lead to heap corruption, creating a remote attack path through malicious media. Google’s release advisory and the CVE record indicate this was addressed in specific Chrome updates across Mac, Windows, Linux, and Android.

Vendor
Google
Product
CVE-2016-5199
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Security teams managing Google Chrome deployments, especially desktop and Android fleets; endpoint teams responsible for browser patching; and organizations that regularly process untrusted video content in the browser.

Technical summary

The published CVE description identifies an off-by-one error in FFmpeg used by Chrome, resulting in a zero-size allocation and possible heap corruption when processing a crafted video file. NVD maps the issue to CWE-119 and assigns a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting remote delivery with user interaction. The source set includes Google’s Chrome release advisory, which documents the patched release train, and a Chromium bug reference for the issue.

Defensive priority

High. Treat as a priority browser patch issue because the attack surface is remote, the trigger involves common untrusted content, and the severity rating is high.

Recommended defensive actions

  • Update Google Chrome to a version at or above the vendor-fixed releases referenced in the advisory for each platform: 54.0.2840.98 on Mac, 54.0.2840.99 on Windows, 54.0.2840.100 on Linux, and 55.0.2883.84 on Android.
  • Verify fleet version compliance using browser management or endpoint inventory, not just user-reported browser version strings.
  • Prioritize patching for users who routinely open or preview untrusted video content in the browser.
  • Review any compensating controls for web content handling, such as application allowlisting and browser auto-update enforcement.
  • Track the linked Chrome advisory and Chromium bug for vendor context when validating remediation status.

Evidence notes

Primary evidence comes from the CVE description and NVD record, which identify the FFmpeg off-by-one error, the heap-corruption risk, the CWE mapping, and the CVSS vector. Google’s Chrome release advisory is included in the reference set and is the best source for version-based remediation. The NVD CPE data also marks Google Chrome as affected, though the supplied source data should be used carefully alongside the vendor advisory when confirming fixed versions.

Official resources

Publicly disclosed by the CVE record on 2017-01-19. The supplied source set ties the issue to a prior Google Chrome advisory and later vendor/reference listings.