PatchSiren cyber security CVE debrief
CVE-2016-5223 Google CVE debrief
CVE-2016-5223 is a client-side memory-safety issue in Google Chrome's PDFium component. The CVE description says a crafted PDF could trigger an integer overflow, which in turn could lead to heap corruption or a denial of service. The record also indicates the issue was addressed in Chrome releases for Mac, Windows, Linux, and Android. Because the attack requires a user to open or process a malicious PDF, the primary security concern is exposure to untrusted documents rather than remote, unauthenticated browser compromise.
- Vendor
- Product
- CVE-2016-5223
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-19
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-19
- Advisory updated
- 2026-05-13
Who should care
Organizations running Google Chrome on managed desktops or Android devices, especially users who regularly open PDFs from email, web downloads, or shared drives. Security and patch-management teams should care most if Chrome updates are delayed or if users commonly handle untrusted documents.
Technical summary
The NVD record maps this issue to CWE-190 (integer overflow) and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a network-reachable issue that needs user interaction and primarily affects availability. The supplied description states the overflow occurs in PDFium, Chrome's PDF processing component, and that a crafted PDF may cause heap corruption or DoS. This is consistent with a browser-document parser flaw rather than a privilege-escalation or data-exfiltration issue.
Defensive priority
Medium. Prioritize patching if your users frequently open PDFs in Chrome or if your fleet includes lagging desktop and Android builds. The issue requires user interaction, but it can still be disruptive and can expose clients to memory corruption.
Recommended defensive actions
- Update Google Chrome to a fixed release for each platform; the CVE description lists fixes at 55.0.2883.75 for Mac, Windows, and Linux, and 55.0.2883.84 for Android.
- Verify deployed Chrome versions against both the CVE description and the NVD version range before closing remediation.
- Reduce exposure to untrusted PDFs by favoring sandboxed handling and security-aware document workflows until patched systems are confirmed.
- Prioritize managed endpoints where Chrome is used for email, downloads, and external document viewing, since user interaction is required for exploitation.
- Track vendor advisories and distro notices referenced in the NVD record to ensure downstream packages are updated as well.
Evidence notes
The supplied CVE description states: "Integer overflow in PDFium in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption or DoS via a crafted PDF file." The NVD metadata maps the weakness to CWE-190 and gives CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The NVD record also includes references to a Chrome stable-channel release note, a Chromium issue, and vendor/distro advisories. Note that the supplied NVD CPE ceiling (54.0.2840.99) does not exactly match the fixed-version list in the CVE description, so version scope should be validated against vendor release guidance.
Official resources
Publicly recorded in the CVE/NVD on 2017-01-19. No CISA KEV entry is included in the supplied enrichment data.