PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5017 Google CVE debrief

CVE-2017-5017 is a Chrome vulnerability on Mac where interactions with the OS insufficiently cleared video memory. In the reported scenario, a remote attacker could use a crafted HTML page to possibly extract image fragments on systems with GeForce 8600M graphics chips. The issue is confidentiality-focused and requires user interaction, which limits—but does not remove—the risk for affected Macs running vulnerable Chrome builds.

Vendor
Google
Product
CVE-2017-5017
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Organizations and individuals running Google Chrome on Mac, especially where affected hardware includes GeForce 8600M graphics chips. Browser security teams, Mac fleet administrators, and help desk / endpoint teams supporting older Chrome deployments should pay attention.

Technical summary

Per the supplied description and NVD data, Chrome on Mac did not sufficiently clear video memory during certain OS interactions. A remote attacker could trigger the issue with a crafted HTML page and potentially recover image fragments. NVD classifies the weakness as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and rates impact as low confidentiality only, with network attack vector and user interaction required.

Defensive priority

Medium priority for any fleet that may still run affected Chrome versions on Mac, with extra attention to systems using the referenced GeForce 8600M graphics chips. The risk is limited to information disclosure and requires user interaction, but the issue is remote and browser-facing.

Recommended defensive actions

  • Verify Chrome on Mac is updated to a fixed release at or above the version noted in the vendor advisory and description.
  • Prioritize remediation on systems that match the affected hardware profile mentioned in the advisory (GeForce 8600M graphics chips).
  • Use browser auto-update management and confirm endpoints are not pinned to vulnerable Chrome builds.
  • Review downstream Linux/distribution advisories and browser release notes referenced by the vendor for patch confirmation.
  • Treat this as a confidentiality issue: no signs in the provided record indicate code execution or integrity impact.

Evidence notes

Primary evidence comes from the supplied CVE description, NVD record, and the linked Chrome stable channel update and bug reference. The description states the issue affected Chrome prior to 56.0.2924.76 for Mac, while the NVD CPE criteria lists vulnerable Chrome versions through 55.0.2883.87. That version-detail mismatch is reflected in the corpus and should be treated cautiously when validating exposure.

Official resources

Published in the CVE/NVD record on 2017-02-17. NVD last modified the record on 2026-05-13, but that does not change the original vulnerability publication date.