PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5217 Google CVE debrief

CVE-2016-5217 describes an access-control flaw in Google Chrome's extensions API that could let a remote attacker reach privileged plugins and bypass site isolation using a crafted HTML page. The issue is rated medium severity (CVSS 6.5), but it matters because the impact is on browser isolation boundaries rather than a simple crash or nuisance bug. The public record ties the fix to Chrome releases 55.0.2883.75 for Mac, Windows, and Linux, and 55.0.2883.84 for Android.

Vendor
Google
Product
CVE-2016-5217
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Security teams managing Chrome on desktops or Android, browser and endpoint administrators, and organizations that rely on Chrome for sensitive web applications or extension-heavy workflows should care most. Any environment with unpatched Chrome versions in the affected range should treat this as a prompt browser update item.

Technical summary

NVD classifies the weakness as CWE-284 (improper access control). The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, which means the issue is network-reachable, does not require privileges, does require user interaction, and primarily affects integrity. According to the CVE description, the extensions API incorrectly permitted access to privileged plugins, allowing a remote attacker to bypass site isolation from a crafted HTML page. The source record also lists affected Chrome versions up to 54.0.2840.99 in the NVD CPE data, while the vendor-facing release note identifies the fixed versions as 55.0.2883.75 (desktop) and 55.0.2883.84 (Android).

Defensive priority

Prioritize patching any exposed or unmanaged Chrome installations, especially where users may open untrusted pages or where browser isolation is part of the security model. Although the CVSS score is medium and user interaction is required, the bug affects a core security boundary and can enable meaningful integrity impact, so it should be handled as a timely browser remediation item.

Recommended defensive actions

  • Update Google Chrome to 55.0.2883.75 or later on Mac, Windows, and Linux, and to 55.0.2883.84 or later on Android.
  • Verify managed fleet compliance for Chrome version floors rather than relying on user self-update.
  • Review browser hardening and extension governance for environments that depend on site isolation or sensitive internal web apps.
  • Use the official Chrome release note and vendor advisories to confirm the fix is present in your deployed build line.
  • Treat untrusted HTML content and extension-install workflows as higher-risk user interaction paths until patched.

Evidence notes

The CVE description states that the extensions API incorrectly permitted access to privileged plugins and enabled a site-isolation bypass via crafted HTML. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N and CWE-284. The vendor reference in the NVD record points to Chrome's stable channel update, and downstream advisories from Red Hat and Gentoo are listed in the same record. There is a version-expression discrepancy worth noting: the description names fixed versions 55.0.2883.75/84, while the NVD CPE data lists vulnerable Chrome versions through 54.0.2840.99.

Official resources

The CVE was published on 2017-01-19. The NVD record was last modified on 2026-05-13, so that later date should be treated as record maintenance context, not the original issue date. The vendor reference in the NVD record points to Chrome's