CVE-2017-5014 Google CVE debrief

Who should care

Organizations that manage Google Chrome on desktops or Android, especially endpoint, browser, and patch-management teams, should care. Security teams should also pay attention if Chrome is used to open untrusted web content or embedded HTML.

Technical summary

The vulnerability is recorded as a heap-based memory corruption issue in Skia during image processing, with CWE-119 assigned in the NVD record. The NVD description states that a crafted HTML page could trigger a remote out-of-bounds memory read in Chrome versions prior to 56.0.2924.76 on Linux, Windows, and Mac, and prior to 56.0.2924.87 on Android. The linked NVD record also lists Chrome version coverage through 55.0.2883.87 in its CPE criteria, so readers should treat the advisory text and product-mapping data together.

Defensive priority

Medium. The flaw is remotely triggerable through web content, but the supplied record does not indicate known exploitation in the wild or KEV inclusion.

Recommended defensive actions

• Upgrade Google Chrome to a fixed release at or above the versions listed in the CVE description.
• Prioritize patching managed desktops and Android devices that may browse untrusted content.
• Use centralized browser update enforcement and verify versions across fleets.
• Monitor vendor advisories and downstream distro notices linked in the record for remediation guidance.
• Treat unexpected browser crashes or rendering anomalies as signals to investigate and update promptly.

Evidence notes

All statements are based on the supplied NVD/CVE corpus and the linked official references. The record identifies the issue as CVE-2017-5014, published 2017-02-17 and modified 2026-05-13, with references to the Chrome stable-channel release note, Chromium issue 675332, and downstream security advisories from Red Hat, Debian, and Gentoo. No KEV date or ransomware linkage is present in the supplied data.

Official resources