CVE-2016-5210 Google CVE debrief

Who should care

Chrome administrators, endpoint security teams, Android fleet managers, and anyone responsible for users or services that open untrusted PDF files should prioritize this issue on affected pre-fix Chrome builds.

Technical summary

The supplied record describes a heap buffer overflow in PDFium’s TIFF image parsing path, classified as CWE-787. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which indicates a network-reachable flaw that still depends on user interaction with a crafted PDF to trigger the vulnerable code path.

Defensive priority

High

Recommended defensive actions

• Update Google Chrome to the vendor-fixed release for your platform, including Android, using official vendor guidance.
• Verify that managed Chrome fleets are not pinned to affected versions and that automatic updates remain enabled.
• Prioritize patching endpoints and shared systems that routinely open untrusted PDF content.
• Review document-handling workflows that accept external PDFs and reduce exposure where possible.
• Cross-check the Google Chrome stable-channel update and Chromium issue references if you use extended-stable, pinned, or enterprise-managed Chrome versions, because the supplied record shows differing version ranges.

Evidence notes

The CVE description in the supplied corpus states that a heap buffer overflow during TIFF image parsing in PDFium could allow remote heap corruption via a crafted PDF file. The NVD metadata classifies the weakness as CWE-787 and lists CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The same record also references Google’s Chrome stable-channel update, a Chromium issue tracker entry, Red Hat errata, SecurityFocus, and Gentoo GLSA. One point to validate operationally is the version scope: the descriptive text mentions fixes before 55.0.2883.75 on desktop and 55.0.2883.84 on Android, while the NVD CPE range shown in the supplied metadata ends at 54.0.2840.99.

Official resources