PatchSiren cyber security CVE debrief
CVE-2017-5023 Google CVE debrief
CVE-2017-5023 is a publicly disclosed Google Chrome vulnerability first published on 2017-02-17. The CVE description identifies a type confusion issue in Histogram that could allow a remote attacker to potentially trigger a near-null dereference through a crafted HTML page. The supplied CVSS vector indicates network attackability with user interaction required and low availability impact, which aligns with a browser-borne issue that is more likely to cause a crash or limited disruption than full compromise.
- Vendor
- Product
- CVE-2017-5023
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-17
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-17
- Advisory updated
- 2026-05-13
Who should care
Organizations and individuals running Google Chrome on affected desktop platforms or Android before the fixed releases should prioritize this advisory. It is also relevant to endpoint teams that manage browser patching, especially where users regularly browse untrusted web content.
Technical summary
According to the CVE/NVD metadata, the flaw is a type confusion in Chrome's Histogram component. An attacker could use a crafted HTML page to reach the vulnerable code path and potentially cause a near-null dereference. The supplied CVSS 3.0 vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, indicating remote delivery, no privileges required, user interaction needed, and limited availability impact. The CVE description states the issue was addressed in Chrome 56.0.2924.76 for Linux, Windows, and Mac, and 56.0.2924.87 for Android.
Defensive priority
Medium. This is a browser vulnerability with user interaction required and limited availability impact, so it should be patched promptly but is not indicated by the supplied metadata to be a high-impact remote code execution issue.
Recommended defensive actions
- Update Google Chrome to at least 56.0.2924.76 on Linux, Windows, and Mac, or 56.0.2924.87 on Android.
- Verify fleet patch status for Chrome installations and remediate any systems still on affected versions.
- Prioritize endpoints used for routine web browsing, since exploitation requires visiting attacker-controlled content.
- Use standard browser hardening and patch management controls to reduce exposure to malicious or compromised pages.
- Track downstream OS/vendor advisories that reference this CVE for packaged browser updates.
Evidence notes
This debrief is based only on the supplied CVE/NVD corpus and the referenced official links listed in the source metadata. The key facts used here come from the CVE description, the NVD CVSS vector and weakness data, and the reference list that includes the Chrome stable release note, Chrome bug tracker entry, and downstream vendor advisories. Link contents were not independently fetched in this corpus, so no additional claims beyond the provided metadata are included.
Official resources
Publicly disclosed on 2017-02-17 per the supplied CVE publication timestamp. The NVD record was later modified on 2026-05-13, which should be treated as a metadata update rather than the original issue date.