PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5012 Google CVE debrief

CVE-2017-5012 is a high-severity Google Chrome vulnerability disclosed on 2017-02-17. According to NVD, a crafted HTML page could trigger a heap buffer overflow in V8 and lead to heap corruption in affected Chrome versions.

Vendor
Google
Product
CVE-2017-5012
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Browser security teams, endpoint administrators, and anyone managing Google Chrome on Linux, Windows, macOS, or Android should care—especially environments that lag on browser updates or rely on managed, downstream-packaged builds.

Technical summary

NVD describes this issue as a heap buffer overflow in the V8 engine used by Google Chrome. The attack vector is network-based and requires user interaction, consistent with a crafted HTML page reaching the vulnerable code path and causing heap corruption. The supplied NVD record lists Chrome versions through 55.0.2883.87 in its CPE criteria, while the CVE description states fixes were available in 56.0.2924.76 for Linux/Windows/Mac and 56.0.2924.87 for Android.

Defensive priority

High. This is a remotely reachable browser memory-corruption flaw with high CVSS impact and should be remediated quickly across all managed Chrome deployments.

Recommended defensive actions

  • Update Google Chrome to a fixed release: 56.0.2924.76 on Linux, Windows, and Mac, or 56.0.2924.87 on Android.
  • Verify installed browser versions across managed endpoints, kiosks, and VDI fleets; treat any vulnerable build as needing remediation.
  • Check downstream vendor advisories for packaged Chrome builds and apply the corresponding enterprise or distribution update.
  • Prioritize systems that frequently browse untrusted content or that do not receive automatic browser updates in a timely way.
  • Use the Google Chrome release notes and vendor advisories to confirm remediation and deployment status.

Evidence notes

All factual statements are grounded in the supplied NVD record and its listed references. The NVD description identifies a V8 heap buffer overflow triggered by a crafted HTML page; the CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and the weakness is CWE-119. The reference set includes Google's Chrome release note, the Chromium bug entry, and downstream advisories from Red Hat, Debian, and Gentoo. Note that the NVD CPE criteria and prose description do not present exactly the same version boundary, so precise patch verification should rely on the vendor release notes and downstream advisories.

Official resources

Publicly disclosed on 2017-02-17. The NVD record was later modified on 2026-05-13; that later date reflects record maintenance, not the original vulnerability date.