PatchSiren cyber security CVE debrief
CVE-2016-5212 Google CVE debrief
CVE-2016-5212 is a Google Chrome information-disclosure issue in DevTools URL sanitization. A remote attacker could lure a user to a crafted HTML page and read local files from affected Chrome installs. The supplied description names fixed builds of 55.0.2883.75 for Mac, Windows, and Linux, and 55.0.2883.84 for Android. The NVD record classifies the issue as confidentiality-only, user-interaction required, and network reachable.
- Vendor
- Product
- CVE-2016-5212
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-19
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-19
- Advisory updated
- 2026-05-13
Who should care
Endpoint and browser management teams, SOC analysts, and users running affected Chrome versions on desktop or Android should care, especially where browsers may access sensitive local files or developer tooling is enabled.
Technical summary
The corpus describes an insufficiently sanitized DevTools URL path in Chrome. That weakness could be abused from a remote web page to cause local file disclosure on affected systems. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N and maps the weakness to CWE-200. The supplied NVD CPE criteria also lists Chrome versions through 54.0.2840.99 as vulnerable, while the narrative description gives vendor-fixed builds in the 55.0.2883.x line.
Defensive priority
Medium: prioritize routine but prompt browser patching, with extra attention on endpoints that handle sensitive local data or where Chrome updates lag.
Recommended defensive actions
- Upgrade Google Chrome to at least 55.0.2883.75 on Mac, Windows, and Linux, or 55.0.2883.84 on Android.
- Verify fleet coverage using browser inventory or endpoint management rather than relying only on user-reported update status.
- Treat any exposure of local files through browser or DevTools behavior as a confidentiality incident path and review sensitive data handling on impacted endpoints.
- Use the Chrome stable channel update and downstream vendor advisories in the supplied references to confirm remediation scope and timelines.
- If you maintain browser hardening baselines, ensure Chrome auto-update is enabled and monitored so fixed builds are adopted quickly.
Evidence notes
The supplied corpus consistently identifies a Chrome local-file disclosure issue caused by insufficient DevTools URL sanitization. The CVE description states affected versions were Chrome prior to 55.0.2883.75 on desktop and 55.0.2883.84 on Android. NVD supplies CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N and CWE-200, supporting a remote, user-interaction-dependent confidentiality impact. The NVD CPE criteria in the record ends at 54.0.2840.99, which does not exactly match the narrative fix versions, so remediation planning should follow the explicit vendor version guidance in the description.
Official resources
Publicly recorded in the supplied CVE data on 2017-01-19 and modified on 2026-05-13. No Known Exploited Vulnerabilities entry is present in the provided enrichment.