PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5201 Google CVE debrief

CVE-2016-5201 is a Chrome information-disclosure issue in the extensions API that could let a remote attacker access privileged JavaScript code through a crafted HTML page. NVD classifies the weakness as CWE-200 and scores it 6.5/10 (medium). The CVE was published on 2017-01-19, and the NVD record was later modified on 2026-05-13; that later modification does not change the original vulnerability timing.

Vendor
Google
Product
CVE-2016-5201
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Organizations that run Google Chrome on Linux, Windows, or macOS, especially environments that rely on browser hardening, managed workstation fleets, or users who may open untrusted web content. Security teams tracking browser exposure and information-disclosure risks should also care.

Technical summary

The issue is described as a leak of privateClass in Chrome's extensions API that allowed a remote attacker to reach privileged JavaScript code from a crafted HTML page. The CVE description states fixed builds were 54.0.2840.100 for Linux, 54.0.2840.99 for Windows, and 54.0.2840.98 for Mac. NVD's vulnerable CPE range for Google Chrome is listed as ending at 54.0.2840.87, so the corpus contains a version-detail discrepancy that should be handled carefully when mapping exposure.

Defensive priority

Medium. The flaw is remote and requires user interaction, but it affects a widely used browser and can expose privileged JavaScript-related data. Patch priority should be high for any Chrome installation still on an affected build.

Recommended defensive actions

  • Verify Chrome versions against the platform-specific fixed builds named in the CVE description: Linux 54.0.2840.100, Windows 54.0.2840.99, and Mac 54.0.2840.98.
  • Update Google Chrome to a version newer than the affected releases; NVD lists Chrome versions through 54.0.2840.87 as vulnerable in its CPE criteria.
  • Treat untrusted HTML content as potentially risky until affected browsers are patched, because the issue is triggered by a crafted HTML page.
  • Use the linked vendor and distribution advisories to confirm whether your fleet was covered by a backported fix.
  • Track this as an information-disclosure issue rather than a code-execution advisory; the CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Evidence notes

All statements are grounded in the supplied CVE description and NVD record. The description says a privateClass leak in the extensions API allowed a remote attacker to access privileged JavaScript code via a crafted HTML page. NVD lists CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, CWE-200, and a vulnerable Chrome CPE ending at 54.0.2840.87. The description also provides platform-specific fixed builds for Linux, Windows, and Mac. The corpus contains no KEV listing and no ransomware attribution.

Official resources

Publicly disclosed and assigned on 2017-01-19. The source corpus shows no CISA KEV entry and no known ransomware campaign use.