PatchSiren cyber security CVE debrief
CVE-2016-9650 Google CVE debrief
CVE-2016-9650 is a Google Chrome Blink vulnerability that could let a remote attacker bypass a no-referrer policy by getting a victim to load a crafted HTML page. NVD assigns a medium-severity CVSS 3.0 score of 4.3, and the published record ties the issue to Chrome versions before 55.0.2883.75 on desktop platforms and before 55.0.2883.84 on Android. The practical risk is limited but relevant wherever browser referrer controls are relied on for privacy or workflow separation.
- Vendor
- Product
- CVE-2016-9650
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-19
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-19
- Advisory updated
- 2026-05-13
Who should care
Organizations running Google Chrome on managed desktops or Android devices, especially security teams that rely on referrer-policy behavior for privacy controls, analytics separation, or internal web app assumptions. End users on affected Chrome versions should also update promptly.
Technical summary
According to the NVD description, Blink in Chrome incorrectly handled iframes, which allowed a remote attacker to bypass a no-referrer policy via a crafted HTML page. The NVD record classifies the weakness as CWE-19 and gives the impact as network-reachable, no privileges required, but requiring user interaction. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating limited impact and no direct availability effect.
Defensive priority
Medium. The issue is not rated high severity, but it affects a widely deployed browser component and can undermine privacy or security assumptions around referrer handling. Priority should be higher in environments that depend on strict referrer suppression or that have many unmanaged browser clients.
Recommended defensive actions
- Update Google Chrome to a fixed release: 55.0.2883.75 or later on Mac, Windows, and Linux, and 55.0.2883.84 or later on Android.
- Verify fleet-wide browser version compliance using endpoint management or browser management tooling.
- Review any application logic that assumes no-referrer behavior for sensitive navigation flows, and avoid depending on referrer suppression as the only control.
- Keep Chrome auto-update enabled and ensure Android patch deployment reaches managed devices quickly.
- If you maintain internal web apps, test referrer-policy assumptions across browser versions during release validation.
Evidence notes
The NVD record states that Blink in Google Chrome prior to the fixed versions incorrectly handled iframes, enabling a remote attacker to bypass a no-referrer policy via a crafted HTML page. The same record provides the affected version boundary for Chrome CPE entries and lists CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N with CWE-19. The record also points to Chrome release notes, a Chrome bug, and downstream advisories as references.
Official resources
The supplied NVD record shows CVE publication on 2017-01-19T05:59:01.137Z and a later record modification on 2026-05-13T00:24:29.033Z. The issue affects Chrome versions before 55.0.2883.75 on desktop platforms and before 55.0.2883.84 on the