PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5220 Google CVE debrief

CVE-2016-5220 describes a Google Chrome PDFium flaw where navigation within PDFs was handled incorrectly, allowing a remote attacker to read local files through a crafted PDF. The issue is an information disclosure problem (CWE-200) with user interaction required, and NVD rates it CVSS 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

Vendor
Google
Product
CVE-2016-5220
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Security teams managing Google Chrome on Mac, Windows, Linux, or Android; endpoint administrators; and users or organizations that open untrusted PDFs in the browser.

Technical summary

The supplied record says PDFium incorrectly handled navigation inside PDFs, enabling a crafted PDF to access local files. NVD classifies the weakness as CWE-200 and assigns a network-reachable, user-interaction-required CVSS v3.0 score of 6.5 with high confidentiality impact and no integrity or availability impact. The vendor description identifies fixed Chrome versions as 55.0.2883.75 for desktop platforms and 55.0.2883.84 for Android.

Defensive priority

Medium-high: prioritize patching Chrome on user endpoints and any fleet that opens PDFs in-browser, because the issue can expose local file contents after a malicious PDF is opened.

Recommended defensive actions

  • Update Google Chrome to the vendor-fixed version or later: 55.0.2883.75 for Mac, Windows, and Linux, or 55.0.2883.84 for Android.
  • Verify managed browsers are on current supported builds and that auto-update is not blocked by policy or packaging.
  • Treat untrusted PDFs as higher risk, especially in environments where the browser handles PDF rendering directly.
  • Use the linked vendor advisories and package-maintainer notices to confirm remediation across downstream distributions.
  • Recheck asset inventories for any Chrome deployments that may lag behind the fixed release train.

Evidence notes

The core evidence comes from the supplied NVD description: PDFium in Google Chrome incorrectly handled PDF navigation, allowing remote local-file reads via a crafted PDF. The NVD record also supplies the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N and lists CWE-200. Vendor references in the record point to Google Chrome stable channel release notes, Chromium bug 654279, and downstream advisories from Red Hat and Gentoo. The supplied record also shows a CPE range ending at Chrome 54.0.2840.99, while the description names fixed versions in the 55.0.2883.x line; remediation should follow the vendor-fixed versions in the description or later.

Official resources

Public CVE disclosure date in the supplied timeline is 2017-01-19. The NVD record was later modified on 2026-05-13, which is metadata update timing rather than the original vulnerability disclosure date. No CISA KEV entry is present in theä¾›