PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5016 Google CVE debrief

CVE-2017-5016 is a Google Chrome/Blink UI rendering flaw that let a remote attacker use crafted HTML to make certain UI elements appear on a page they did not control. The issue was publicly disclosed by NVD on 2017-02-17 and is rated medium severity with user interaction required.

Vendor
Google
Product
CVE-2017-5016
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Organizations that manage Chrome on Windows, macOS, Linux, or Android; browser security teams; endpoint administrators; and users who may visit untrusted web content on affected versions.

Technical summary

NVD describes the flaw as Blink in Google Chrome failing to prevent certain UI elements from being displayed by non-visible pages, which could let a remote attacker show UI elements on an attacker-crafted page. The NVD weakness mapping is CWE-1021, and the CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network reachability, no privileges required, but user interaction needed and integrity impact as the primary concern.

Defensive priority

Medium. Patch promptly if any affected Chrome builds remain in the environment, especially on user-facing systems where malicious web content can be opened. The user-interaction requirement lowers immediacy compared with fully remote, no-click issues, but the integrity impact still makes it important to remediate.

Recommended defensive actions

  • Update Google Chrome to a fixed release: 56.0.2924.76 for Linux, Windows, and Mac, or 56.0.2924.87 for Android.
  • Confirm fleet-wide browser version inventory so older Chrome builds are identified and removed from standard images.
  • Use managed update channels or enterprise policy controls to enforce timely Chrome updates.
  • Prioritize remediation on endpoints that routinely access untrusted or externally supplied web content.
  • Review user-reported browser UI anomalies or suspicious page behavior as potential indicators of abuse attempts.

Evidence notes

The source corpus states that Blink in Chrome prior to the fixed versions failed to prevent certain UI elements from being displayed by non-visible pages, enabling a remote attacker to show UI elements via crafted HTML. NVD lists supporting references including the Google Chrome stable channel update, Chromium issue crbug.com/673163, and multiple vendor advisories (Red Hat, Debian, Gentoo), which supports the remediation and affected-product context.

Official resources

Publicly disclosed in NVD on 2017-02-17T07:59:00.527Z; the record was later modified on 2026-05-13T00:24:29.033Z. Use the published CVE date, not the later modification date, for incident timing.