PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5211 Google CVE debrief

CVE-2016-5211 is a high-severity use-after-free in Chrome’s PDFium component. A remote attacker could potentially trigger heap corruption by persuading a user to open a crafted PDF file in affected Chrome builds. The supplied record ties the issue to Chrome prior to 55.0.2883.75 on Mac, Windows, and Linux, and prior to 55.0.2883.84 on Android.

Vendor
Google
Product
CVE-2016-5211
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Chrome administrators, endpoint and vulnerability management teams, Android fleet owners, and users who routinely open untrusted PDF files in the browser.

Technical summary

NVD classifies this issue as CWE-416 (Use After Free) and lists the CVSS 3.0 vector as AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which indicates a network-reachable flaw that requires user interaction and could have severe impact if successfully triggered. The vulnerability is described as a PDFium memory-safety issue that may lead to heap corruption when processing a crafted PDF.

Defensive priority

High priority for any environment that may still run affected Chrome/PDFium builds, especially where users open external or untrusted PDFs. Because the attack path requires only user interaction and the impact is potentially severe, patching and version verification should be treated as urgent hygiene.

Recommended defensive actions

  • Verify Chrome is updated to at least 55.0.2883.75 on Mac, Windows, and Linux, or 55.0.2883.84 on Android.
  • Prioritize remediation on systems where users open PDFs from email, downloads, messaging apps, or the web.
  • Use managed update policies and confirm fleet compliance rather than relying on user self-update.
  • Treat Chrome or PDFium crashes while rendering PDFs as potential memory-corruption indicators and investigate them.
  • Reduce exposure to untrusted PDFs where operationally possible, for example by opening them in controlled workflows or isolated viewers.

Evidence notes

The supplied NVD record shows CVE-2016-5211 published on 2017-01-19 and modified on 2026-05-13, identifies the weakness as CWE-416, and lists the affected Chrome version boundary as versions through 54.0.2840.99 in the CPE criteria. The CVE description explicitly states that the flaw is a use-after-free in PDFium in Google Chrome and that it could be triggered via a crafted PDF file. NVD also includes references to the Chrome stable channel update blog post, Chromium issue 649229, Red Hat RHSA-2016-2919, SecurityFocus BID 94633, and Gentoo GLSA 201612-11 as corroborating sources in the record. No CISA KEV entry was supplied.

Official resources

Public CVE record published on 2017-01-19. The supplied record was later modified on 2026-05-13, but the vulnerability itself concerns Chrome/PDFium builds prior to the fixed versions listed in the description.