PatchSiren cyber security CVE debrief
CVE-2016-5221 Google CVE debrief
CVE-2016-5221 is a Google Chrome vulnerability in ANGLE’s libGLESv2 component. According to the CVE description, a type confusion issue could let a remote attacker use a crafted HTML page to bypass buffer validation. The CVE record was published on 2017-01-19 and later modified by NVD on 2026-05-13. The supplied record classifies the issue as medium severity (CVSS 6.3) and indicates network attackability with user interaction required.
- Vendor
- Product
- CVE-2016-5221
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-19
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-19
- Advisory updated
- 2026-05-13
Who should care
Organizations running Google Chrome on managed Mac, Windows, Linux, or Android fleets should care most, especially teams responsible for browser patching, endpoint management, and exposure reduction for users who browse untrusted web content.
Technical summary
The reported flaw is a type confusion problem in libGLESv2 within ANGLE in Google Chrome. The CVE description says a crafted HTML page could trigger bypass of buffer validation, implying attacker-controlled web content can reach a browser parsing/rendering code path that mishandles object types or related state. NVD lists the CVSS vector as AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, so exploitation is remote but requires user interaction. The source corpus also shows two version-detail views: the CVE description says fixed in Chrome before 55.0.2883.75 on Mac, Windows, and Linux, and before 55.0.2883.84 on Android; NVD’s CPE criteria in the supplied record marks Chrome versions through 54.0.2840.99 as vulnerable.
Defensive priority
Medium priority: this is remotely reachable through web content and requires only user interaction, so browser fleet patching and version verification should be handled promptly.
Recommended defensive actions
- Update Google Chrome to a fixed release at or above the versions named in the CVE description for your platform.
- Verify endpoint inventories for Chrome versions that fall within the vulnerable ranges shown in the supplied record.
- Prioritize patching for users who routinely visit untrusted or ad-supported web content.
- Review browser update channels on managed devices to ensure the patched version is actually deployed and retained.
- Use vendor advisories and the NVD record to confirm the affected version range before triage decisions.
Evidence notes
All substantive claims are taken from the supplied CVE/NVD corpus and listed official/vendor references. The CVE description identifies type confusion in libGLESv2 in ANGLE in Google Chrome and states that a crafted HTML page may bypass buffer validation. The NVD metadata supplies CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L and a vulnerable CPE range ending at 54.0.2840.99. The supplied description also states platform-specific fixed versions 55.0.2883.75 and 55.0.2883.84. The record was published on 2017-01-19 and modified on 2026-05-13. No KEV entry is present in the supplied enrichment.
Official resources
Public vulnerability disclosure was captured in the CVE/NVD record and vendor-linked references; the supplied enrichment does not mark this CVE as KEV.