PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5204 Google CVE debrief

CVE-2016-5204 is a Chrome/Blink vulnerability involving leakage of an SVG shadow tree that can corrupt the DOM tree and let a remote attacker inject arbitrary scripts or HTML. NVD rates it medium severity, and the issue affects Chrome versions before the fixed 55.x releases noted in the CVE record.

Vendor
Google
Product
CVE-2016-5204
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Organizations that manage Google Chrome on desktop or Android, especially security teams responsible for browser patching, endpoint compliance, and user-facing web access. Users on unsupported or delayed-update systems should also care because the issue can be triggered by a crafted HTML page.

Technical summary

According to NVD, the flaw is in Blink’s handling of SVG shadow trees, where leaking shadow-tree state can lead to DOM corruption. The impact is cross-site scripting / UXSS-style script or HTML injection from a remote crafted page, with network attack vector, low attack complexity, and user interaction required. The published CVSS v3.0 vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and the vulnerable Chrome range ends at 54.0.2840.99 per the NVD CPE criteria in the source record.

Defensive priority

Medium priority, but treat as high urgency for any fleet that may still run affected Chrome builds. Browser vulnerabilities with UI-required UXSS impact can still enable account compromise, session theft, or web app manipulation if left unpatched.

Recommended defensive actions

  • Update Google Chrome to a version newer than the fixed releases identified in the CVE description (55.0.2883.75 on Mac, Windows, and Linux; 55.0.2883.84 on Android).
  • Verify managed desktop and mobile fleets are no longer on Chrome versions at or below the vulnerable range listed in NVD.
  • Use browser update enforcement or auto-update controls where available to reduce exposure from delayed patching.
  • Review downstream vendor advisories and enterprise patch notices referenced in NVD for any platform-specific deployment guidance.
  • Prioritize remediation on systems used for sensitive web applications, SSO, email, and admin workflows because UXSS-style issues can affect session security.

Evidence notes

This debrief is based only on the supplied NVD record and its referenced official links. The NVD entry marks the vulnerability as modified, lists the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, identifies CWE-79, and records the vulnerable Chrome CPE range ending at 54.0.2840.99. NVD references include Google’s Chrome stable channel update, the Chromium issue tracker entry crbug.com/630870, and downstream advisories from Red Hat and Gentoo, which supports that this was publicly patched before or around the Chrome 55 release cycle. The CVE publication date used here is the supplied CVE publishedAt timestamp, not the later record modification date.

Official resources

Publicly disclosed in the vendor and NVD records provided here, with the CVE published date supplied as 2017-01-19. The NVD references point to Google’s Chrome stable channel update and related advisories for remediation context.