PatchSiren cyber security CVE debrief
CVE-2016-5218 Google CVE debrief
CVE-2016-5218 describes a Google Chrome issue where navigation within PDFs was handled incorrectly, allowing a remote attacker to temporarily spoof the contents of the Omnibox (URL bar) from a crafted HTML page containing PDF data. The issue was publicly recorded on 2017-01-19 and carries medium severity in the supplied data, with user interaction required and an integrity impact focused on what the browser shows the user. The supplied references indicate Google’s fix was delivered before the CVE was published, and downstream advisories tracked the update.
- Vendor
- Product
- CVE-2016-5218
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-19
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-19
- Advisory updated
- 2026-05-13
Who should care
Browser security teams, enterprise desktop and mobile administrators, and users who open untrusted web content in Chrome should care. This is especially relevant for environments that rely on the browser UI as a trust signal, since the bug could mislead users while viewing pages that embed PDF data.
Technical summary
NVD describes the flaw as an extensions API handling problem in Chrome’s PDF navigation path that allowed temporary spoofing of Omnibox contents. The CVSS vector supplied by NVD is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, reflecting a network-reachable issue that requires user interaction and primarily affects integrity. The vendor-facing description in the corpus says affected versions were fixed in Chrome 55.0.2883.75 for Mac/Windows/Linux and 55.0.2883.84 for Android. NVD’s CPE data also marks Chrome versions through 54.0.2840.99 as vulnerable, so version guidance should be taken from the vendor fix references in the corpus.
Defensive priority
Medium
Recommended defensive actions
- Upgrade Google Chrome to 55.0.2883.75 or later on desktop and 55.0.2883.84 or later on Android.
- Verify that browser auto-update is enabled and that managed endpoints are not pinned to vulnerable Chrome builds.
- Treat unexpected URL bar changes while viewing PDF-containing pages as a security signal worth investigating.
- Use the vendor release notes and downstream advisories to confirm remediation status across all supported platforms.
Evidence notes
This debrief is based only on the supplied NVD record, CVE metadata, and listed references. The key evidence is the NVD description of temporary Omnibox spoofing via crafted HTML containing PDF data, the NVD CVSS 3.0 vector, the NVD CPE range, and Google-linked references including the Chrome stable channel update, the crbug tracking entry, and downstream advisories. The corpus also shows a version detail mismatch between NVD’s vulnerable CPE ceiling and the vendor fix versions; the vendor fix versions are the safer remediation target.
Official resources
The CVE record was published on 2017-01-19. The corpus also points to a December 2016 Chrome stable-channel update and related downstream advisories, indicating the fix was already in distribution before the public CVE publication date.