PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5213 Google CVE debrief

CVE-2016-5213 is a high-severity memory-corruption flaw in Google Chrome's V8 engine. NVD describes it as a use-after-free that could let a remote attacker potentially trigger heap corruption via a crafted HTML page. Because exploitation requires only that a victim load attacker-controlled web content, this is a browser patching priority for managed desktops and Android fleets.

Vendor
Google
Product
CVE-2016-5213
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Chrome users and administrators, especially enterprise endpoint teams, browser management teams, and Android fleet owners. Any environment that regularly opens untrusted web content should treat this as a priority browser update.

Technical summary

The issue is classified as CWE-416 (use after free). NVD lists a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting a network-reachable attack path with user interaction required. The vulnerability affects Google Chrome prior to the fixed releases cited in the CVE description and associated Chrome release references, with NVD CPE data marking versions through 54.0.2840.99 as vulnerable. The attack surface is the V8 JavaScript engine, and the described impact is potential heap corruption from a crafted HTML page.

Defensive priority

High — remote, browser-triggered memory corruption with no privileges required and only user interaction needed.

Recommended defensive actions

  • Update Google Chrome on desktop to 55.0.2883.75 or later.
  • Update Google Chrome on Android to 55.0.2883.84 or later.
  • Use vendor/browser management tooling to confirm affected builds are removed from the fleet.
  • Prioritize systems that browse untrusted or internet-facing content, including shared workstations and developer endpoints.
  • Track vendor and distribution advisories referenced in NVD to verify patch coverage across supported channels.

Evidence notes

The CVE description states that a use-after-free in V8 could allow remote heap corruption via crafted HTML pages. NVD metadata identifies CWE-416 and the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The referenced sources include Google's Chrome release note, a Chromium issue reference (crbug.com/652548), Gentoo GLSA, and Red Hat RHSA. Note that the prose description and the NVD CPE version criteria are not perfectly aligned: the description names fixed versions 55.0.2883.75 (desktop) and 55.0.2883.84 (Android), while the CPE record marks Chrome versions through 54.0.2840.99 as vulnerable. For remediation, prioritize the vendor fix references cited in NVD.

Official resources

Publicly disclosed in the CVE record on 2017-01-19. The source item was later modified on 2026-05-13, but that date reflects record maintenance rather than the vulnerability's original disclosure. The issue was fixed in Chrome release notes