PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5203 Google CVE debrief

CVE-2016-5203 is a high-severity Google Chrome issue in PDFium involving a use-after-free condition that could be reached with a crafted PDF file. The supplied CVE description says affected Chrome versions were fixed before 55.0.2883.75 on Mac, Windows, and Linux, and before 55.0.2883.84 on Android. Because the attack path is browser-delivered and requires user interaction, the main defensive concern is exposure on endpoints that may open untrusted PDFs in older Chrome builds.

Vendor
Google
Product
CVE-2016-5203
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Chrome users and administrators on Mac, Windows, Linux, and Android; endpoint and browser management teams; organizations that regularly receive or view PDFs from email, web downloads, or other untrusted sources; and security teams responsible for patch compliance on managed browser fleets.

Technical summary

The vulnerability is a use-after-free in PDFium, tracked by NVD as CWE-416, with CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, a remote attacker could craft a PDF file that exercises the flawed memory handling in Chrome’s PDF rendering component and potentially exploit resulting heap corruption. The source corpus identifies affected Chrome versions as prior to 55.0.2883.75 for desktop platforms and 55.0.2883.84 for Android.

Defensive priority

High. Although the attack requires user interaction, the vulnerable surface is a common browser component used to handle PDFs, so outdated installations can be broadly exposed.

Recommended defensive actions

  • Update Google Chrome to a fixed release at or above 55.0.2883.75 on Mac, Windows, and Linux, and 55.0.2883.84 on Android.
  • Verify that managed Chrome deployments are actually receiving and applying updates, especially on systems where auto-update may be delayed or blocked.
  • Review fleet inventory for older Chrome versions and prioritize devices that handle external PDFs frequently.
  • Treat unsolicited PDF files as suspicious and route them through standard email and web security controls.
  • Use vendor and distro advisories to confirm downstream patch status where Chrome is packaged by an OS or enterprise channel.

Evidence notes

The CVE description states the issue is a PDFium use-after-free in Google Chrome that can be reached via a crafted PDF file. The vendor-supplied references in NVD include Google’s Chrome stable-channel update, the Chrome issue tracker entry (crbug.com/644219), and downstream advisories from Red Hat and Gentoo. NVD also lists a vulnerable Chrome CPE range ending at 54.0.2840.99, which does not match the vendor description’s fixed-version detail of 55.0.2883.75/84; the vendor description should be treated as the primary version guidance in this corpus.

Official resources

The CVE record was published on 2017-01-19; the reference set points to Google’s Chrome stable-channel update from December 2016 and associated issue tracking/downstream advisories.