PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5006 Google CVE debrief

CVE-2017-5006 is a Google Chrome Blink vulnerability that could let a remote attacker inject arbitrary HTML or script into a page context, creating a universal cross-site scripting (UXSS) risk. The issue was fixed in Chrome releases prior to the stated patched versions for desktop and Android. Organizations should treat it as a browser integrity problem that can expose authenticated sessions and trusted web workflows if left unpatched.

Vendor
Google
Product
CVE-2017-5006
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Security teams and IT administrators managing Google Chrome on desktops or Android devices, especially where users access SSO portals, internal business apps, or other high-trust web applications in the browser.

Technical summary

NVD describes the flaw as incorrect handling of object owner relationships in Blink, tracked as CWE-79. The published CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 MEDIUM). In practical terms, a crafted HTML page could trigger script or HTML injection in a way that breaks same-origin expectations and enables UXSS-style impact.

Defensive priority

Moderate

Recommended defensive actions

  • Update Google Chrome to a fixed release on all supported desktop and Android fleets.
  • Verify that enterprise update channels are working and that no devices are pinned to vulnerable Chrome versions.
  • Prioritize patching for users who handle sensitive accounts, SSO sessions, or internal web applications in the browser.
  • Confirm browser version compliance with asset inventory and endpoint management tools.
  • Keep automatic browser updates enabled and alert on endpoints that fall behind the required Chrome version.

Evidence notes

The supplied NVD record lists CVSS 6.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79. The description states the Blink flaw affected Chrome versions prior to 56.0.2924.76 on Linux, Windows, and Mac, and prior to 56.0.2924.87 on Android. Supplied references include the Google Chrome stable-channel release note, Chromium bug 673170, and downstream advisories from Red Hat, Debian, and Gentoo, which support the patch context and affected-product scope.

Official resources

Published by NVD on 2017-02-17 and last modified on 2026-05-13. The supplied corpus does not list a CISA KEV entry or ransomware campaign linkage for this CVE.