PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5015 Google CVE debrief

CVE-2017-5015 is a browser spoofing issue in Google Chrome where incorrect handling of Unicode glyphs could let a remote attacker use a crafted internationalized domain name (IDN) to impersonate a different site. The practical risk is user deception: a malicious link can appear to point at a trusted domain while actually resolving elsewhere. Google’s advisory and downstream vendor references indicate the issue was addressed in Chrome 56-era updates, with the vulnerability affecting Chrome versions before 56.0.2924.76 on desktop and before 56.0.2924.87 on Android. The CVE was published on 2017-02-17; the later 2026 NVD modification date reflects record maintenance, not the original vulnerability date.

Vendor
Google
Product
CVE-2017-5015
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Security teams, browser fleet owners, and anyone relying on Chrome for access to sensitive web applications should care. This is especially relevant for organizations that use phishing-resistant controls, user training, or URL-based trust decisions, because IDN homograph spoofing can defeat casual visual inspection of links.

Technical summary

NVD describes Chrome as incorrectly handling Unicode glyphs, enabling domain spoofing through IDN homographs in a crafted domain name. The issue is classified by NVD with CVSS v3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, reflecting a network-reachable attack that requires user interaction and can impact integrity by misleading the victim about the destination domain. The supplied source corpus indicates affected Chrome versions were older than 56.0.2924.76 for Linux, Windows, and Mac, and older than 56.0.2924.87 for Android.

Defensive priority

Medium. The risk is not code execution, but it can materially aid phishing and credential theft by making malicious domains look legitimate to users.

Recommended defensive actions

  • Update Google Chrome to a fixed release at or above 56.0.2924.76 on desktop and 56.0.2924.87 on Android.
  • Verify that managed browser update policies are enforcing rapid patch adoption across all endpoints.
  • Treat Unicode and IDN domains with caution in phishing defenses, allowlists, and user guidance; do not rely on visual similarity alone.
  • Review browser-based trust workflows for dependency on user-visible domain strings and reinforce with additional controls such as MFA and origin-aware checks.
  • Use the linked vendor and distribution advisories to confirm remediation status in your environment.

Evidence notes

The debrief is based on the supplied NVD record metadata and the references it lists, including Google’s Chrome release note and downstream advisories (Red Hat, Debian, Gentoo). The corpus explicitly states the affected versions and the fix versions. No unsupported exploit mechanics or unverified implementation details are added.

Official resources

Publicly disclosed on 2017-02-17. The modified date in the source timeline (2026-05-13) reflects later record updates, not the original vulnerability disclosure date.