PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5006 Google CVE debrief

CVE-2017-5006 is a Google Chrome Blink vulnerability that could let a remote attacker inject arbitrary HTML or script into a page context, creating a universal cross-site scripting (UXSS) risk. The issue was fixed in Chrome releases prior to the stated patched versions for desktop and Android. Organizations should treat it as a browser integrity problem that can expose authenticated sessions and trusted web workflows if left unpatched.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Security teams and IT administrators managing Google Chrome on desktops or Android devices, especially where users access SSO portals, internal business apps, or other high-trust web applications in the browser.

Technical summary

NVD describes the flaw as incorrect handling of object owner relationships in Blink, tracked as CWE-79. The published CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 MEDIUM). In practical terms, a crafted HTML page could trigger script or HTML injection in a way that breaks same-origin expectations and enables UXSS-style impact.

Defensive priority

Moderate

Recommended defensive actions

  • Update Google Chrome to a fixed release on all supported desktop and Android fleets.
  • Verify that enterprise update channels are working and that no devices are pinned to vulnerable Chrome versions.
  • Prioritize patching for users who handle sensitive accounts, SSO sessions, or internal web applications in the browser.
  • Confirm browser version compliance with asset inventory and endpoint management tools.
  • Keep automatic browser updates enabled and alert on endpoints that fall behind the required Chrome version.

Evidence notes

The supplied NVD record lists CVSS 6.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79. The description states the Blink flaw affected Chrome versions prior to 56.0.2924.76 on Linux, Windows, and Mac, and prior to 56.0.2924.87 on Android. Supplied references include the Google Chrome stable-channel release note, Chromium bug 673170, and downstream advisories from Red Hat, Debian, and Gentoo, which support the patch context and affected-product scope.

Official resources

Published by NVD on 2017-02-17 and last modified on 2026-05-13. The supplied corpus does not list a CISA KEV entry or ransomware campaign linkage for this CVE.