PatchSiren cyber security CVE debrief
CVE-2017-5027 Google CVE debrief
CVE-2017-5027 is a Google Chrome browser vulnerability in Blink’s Content Security Policy handling. According to the public description, a crafted HTML page could be used by a remote attacker to bypass an unsafe-inline CSP restriction. The issue was publicly disclosed on 2017-02-17, with Google’s stable-channel update and the associated Chromium bug serving as the primary references. This is a browser-side policy enforcement weakness, so the main defense is timely browser update deployment rather than application-side remediation alone.
- Vendor
- Product
- CVE-2017-5027
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-17
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-17
- Advisory updated
- 2026-05-13
Who should care
Organizations that manage Chrome on Linux, Windows, Mac, or Android; web application teams that depend on Content Security Policy to reduce script injection risk; and security teams responsible for endpoint patching and browser policy enforcement.
Technical summary
Blink in Chrome failed to properly enforce unsafe-inline Content Security Policy in affected releases. The practical impact is CSP bypass: an attacker could use a crafted HTML page to get behavior that CSP was intended to block. The NVD record classifies the issue as network exploitable with user interaction required, and the public references point to Google’s release note and Chromium issue tracker.
Defensive priority
Medium. The CVSS score is 4.3, but the issue undermines a core browser security control, so patching should still be treated as a routine priority for managed fleets.
Recommended defensive actions
- Update Google Chrome to the fixed release indicated by Google for your platform: 56.0.2924.76 for Linux, Windows, and Mac, or 56.0.2924.87 for Android, or later.
- Verify fleet-wide browser version coverage on managed endpoints, including bring-your-own-device and remote users.
- Review web application assumptions that rely on CSP alone; use layered defenses such as input validation, output encoding, and least-privilege script sources.
- Confirm that browser update channels and endpoint management policies are working so fixes reach users quickly.
- Use the Chromium bug and release note references to validate remediation status in change management records.
Evidence notes
The public description states that Blink in Google Chrome prior to 56.0.2924.76 on desktop platforms and 56.0.2924.87 on Android failed to properly enforce unsafe-inline CSP, allowing bypass via a crafted HTML page. The official references supplied are Google’s stable-channel update and Chromium issue 661126. NVD also lists this as a browser vulnerability with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N.
Official resources
Publicly disclosed on 2017-02-17. The later modified date in NVD reflects record maintenance, not the original disclosure date.