PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5009 Google CVE debrief

CVE-2017-5009 is a high-severity Google Chrome WebRTC memory-corruption issue. According to the CVE description, a crafted HTML page could trigger heap corruption through improper bounds checking in WebRTC, making this a network-reachable browser flaw with user interaction required. The supplied corpus points to vendor patches and downstream advisories, so remediation should focus on upgrading affected Chrome installations promptly.

Vendor
Google
Product
CVE-2017-5009
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Browser and endpoint teams, enterprise patch managers, Linux/Windows/macOS fleet owners, and Android device administrators running affected Chrome versions. Users of managed or unmanaged Chrome installs should be considered at risk until updated.

Technical summary

NVD classifies the issue as CWE-119 with CVSS 3.0 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The CVE description says WebRTC in Google Chrome prior to 56.0.2924.76 on Linux/Windows/Mac and prior to 56.0.2924.87 on Android failed proper bounds checking, enabling remote heap corruption via a crafted HTML page. The source corpus also includes Google release and issue-tracker references plus downstream advisories from Red Hat, Debian, and Gentoo.

Defensive priority

High. The flaw is remotely reachable through browser content and can affect confidentiality, integrity, and availability if exploited, but the issue is also patchable and has vendor remediation guidance in the source corpus.

Recommended defensive actions

  • Update Google Chrome to the fixed release referenced in the CVE description for your platform.
  • Prioritize managed browser rollouts across Windows, macOS, Linux, and Android devices.
  • Verify downstream package channels and distro advisories for Chrome/Chromium builds before assuming the browser auto-updated.
  • Inventory current Chrome versions in the fleet and quarantine any systems still on affected releases.
  • Use vendor release notes and downstream advisories to confirm remediation status after deployment.

Evidence notes

The supplied NVD record identifies CVE-2017-5009 as a Chrome WebRTC bounds-checking flaw (CWE-119) with CVSS 3.0 8.8/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The CVE description states affected Chrome versions were before 56.0.2924.76 on desktop and before 56.0.2924.87 on Android. NVD metadata cites Google’s Chrome stable-channel update blog, Chromium issue 667504, and downstream advisories from Red Hat, Debian, and Gentoo. The corpus also includes a CPE range ending at 55.0.2883.87, which does not exactly match the version numbers in the description; treat the vendor-linked fix versions as the primary remediation target.

Official resources

Publicly disclosed on 2017-02-17 per the supplied CVE record. The supplied corpus does not list this CVE as a CISA KEV item and does not indicate known ransomware campaign use.