PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5215 Google CVE debrief

CVE-2016-5215 is a browser memory-safety issue in Google Chrome's WebAudio component. According to the supplied NVD record, a crafted HTML page could trigger a use-after-free that led to an out-of-bounds memory read. The CVE is rated medium severity (CVSS 6.3) and is classified as CWE-416.

Vendor
Google
Product
CVE-2016-5215
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Organizations that run Google Chrome on desktops or Android, especially endpoint and browser fleet administrators. Any user who may open untrusted or attacker-controlled web content should treat this as relevant.

Technical summary

The supplied NVD description says Chrome's WebAudio code had a use-after-free condition that a remote attacker could reach through a crafted HTML page, resulting in an out-of-bounds memory read. NVD maps the weakness to CWE-416 and gives the CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, indicating network reachability but requiring user interaction.

Defensive priority

Medium. This is a remotely reachable browser memory-safety flaw that needs user interaction, but it affects a widely deployed client application and involves unsafe memory access.

Recommended defensive actions

  • Update Google Chrome to a fixed release at or above the vendor-published remediation level referenced in the Chrome stable channel update.
  • Verify browser versions across desktop and Android fleets, including managed and unmanaged endpoints.
  • If you use downstream browser packages, check the linked distribution advisories for patched package versions.
  • Prioritize users who routinely browse untrusted content or who operate with elevated business impact from browser compromise.
  • Track affected systems until version compliance is confirmed; do not rely on the browser auto-update state alone.

Evidence notes

The NVD record for CVE-2016-5215 describes a use-after-free in WebAudio that could be triggered by a crafted HTML page, and assigns CWE-416 with CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The supplied references include Google's Chrome stable channel update, the Chromium issue tracker entry, and downstream advisories from Red Hat and Gentoo. The corpus also contains a versioning inconsistency: the description names fixed Chrome versions 55.0.2883.75 (desktop) and 55.0.2883.84 (Android), while the NVD CPE criterion marks Chrome versions through 54.0.2840.99 as vulnerable.

Official resources

The supplied official references indicate Google disclosed and patched the issue in the Chrome stable channel update, and the CVE record was published by NVD on 2017-01-19. No CISA KEV enrichment is present in the supplied corpus.