CVE-2016-5207 Google CVE debrief

Who should care

Security teams managing Google Chrome on macOS, Windows, Linux, and Android; endpoint and mobile device management teams; and users who may browse untrusted web content.

Technical summary

The vulnerability is described as a Blink DOM tree corruption issue triggered during removal of a full-screen element. The NVD record maps it to CWE-79 and assigns CVSS 3.0 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The record’s CPE range captures affected Chrome builds up to 54.0.2840.99, while the Google-linked Chrome release advisory identifies fixed builds at 55.0.2883.75 for desktop platforms and 55.0.2883.84 for Android.

Defensive priority

Medium. The issue is remotely reachable through web content, requires user interaction, and is rated CVSS 6.1.

Recommended defensive actions

• Verify Chrome installations are at or above 55.0.2883.75 on desktop platforms and 55.0.2883.84 on Android.
• Prioritize patching managed devices that regularly browse untrusted or external web content.
• Use Chrome auto-update and enforcement policies to reduce patch lag on future security releases.
• Confirm vulnerable Chrome versions are blocked by endpoint compliance baselines and mobile device management profiles.
• Review the linked Chrome release advisory and vendor advisories for deployment guidance and affected-version details.

Evidence notes

This debrief is based only on the supplied CVE/NVD record and linked references. The record describes Blink DOM tree corruption during removal of a full-screen element and notes potential exploitation via a crafted HTML page. The CVE publication timestamp used for timing context is 2017-01-19T05:59:00.497Z; the later 2026-05-13 modification timestamp is not treated as the issue date.

Official resources