PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5222 Google CVE debrief

CVE-2016-5222 describes an issue in Google Chrome where incorrect handling of invalid URLs could let a remote attacker use a crafted HTML page to spoof the contents of the Omnibox (URL bar). The supplied record assigns CVSS 6.5 (Medium) and indicates user interaction is required. The primary security concern is user deception: a page can make the browser’s address bar appear to show something other than the actual destination, which can undermine trust and facilitate phishing-style attacks.

Vendor
Google
Product
CVE-2016-5222
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Anyone running affected Google Chrome builds should care, especially organizations that rely on browser trust signals for phishing resistance. This includes desktop Chrome users and managed fleets, plus Android users on versions earlier than the fixed release noted in the CVE description.

Technical summary

The record says Chrome handled invalid URLs incorrectly, allowing a remote attacker with a crafted HTML page to spoof the Omnibox contents. In practical defensive terms, this is a browser UI integrity problem: the displayed URL can mislead a user about where they are navigating. NVD’s CVSS vector reflects network attackability, low attack complexity, no privileges required, and user interaction required, with impact limited to integrity.

Defensive priority

Medium priority. Patch promptly because the flaw can help an attacker impersonate a trusted destination in the browser UI, but the supplied record does not indicate code execution, data theft, or availability impact.

Recommended defensive actions

  • Update Google Chrome to a fixed release. The CVE description states the issue was fixed before 55.0.2883.75 on Mac, Windows, and Linux, and before 55.0.2883.84 on Android.
  • Verify fleet exposure by checking deployed Chrome versions against the affected range in the supplied record and NVD entry.
  • Treat browser address-bar trust as a phishing control: reinforce user verification habits for login pages and sensitive workflows.
  • Use managed update channels and compliance checks to ensure browsers do not remain on vulnerable builds.
  • Review enterprise browser hardening and reporting so suspicious URL-bar spoofing reports can be triaged quickly.

Evidence notes

Primary evidence comes from the supplied NVD record and its referenced sources. The CVE was published on 2017-01-19 and later modified on 2026-05-13. The supplied description states the flaw affected Chrome prior to 55.0.2883.75 on Mac/Windows/Linux and 55.0.2883.84 on Android, and that it allowed spoofing of the Omnibox via a crafted HTML page. NVD also lists CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N and CWE-20. Note: the supplied NVD CPE criteria also lists a desktop affected range ending at 54.0.2840.99, which is not identical to the version boundary in the CVE description; this debrief preserves both as supplied.

Official resources

CVE published in the supplied record on 2017-01-19 and modified on 2026-05-13. No KEV entry was supplied.