Cyber Resilience

CVE-2016-1646

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 29 March 2016

Published
29 March 2016
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.6691 98.6th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-1646 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability CVE-2016-1646 is an out-of-bounds read (CWE-125) in the Array.prototype.concat implementation within builtins.cc in Google V8, as used in Google Chrome before version 49.0.2623.108. The root cause is failure to properly account for element data types during array concatenation operations.

Remote attackers can exploit the issue by serving crafted JavaScript to a victim, triggering the flaw to cause a denial of service or potentially other unspecified impacts. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, no privileges or user interaction required beyond rendering the script, and high impact on confidentiality, integrity, and availability.

Public advisories and patches referenced in the Google Chrome stable channel update, multiple openSUSE security announcements, and Red Hat errata RHSA-2016-0525 address mitigation by updating affected V8 and Chrome installations to corrected versions. No information on observed in-the-wild exploitation is provided in the source details.

EU & UK References

Vulnerability details

The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, does not properly consider element data types, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact…

more

via crafted JavaScript code.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

debian
debian linux
8.0, 9.0
canonical
ubuntu linux
14.04, 15.10, 16.04
google
chrome
≤ 49.0.2623.108
suse
package hub
all versions
opensuse
leap
42.1
opensuse
opensuse
13.1
redhat
enterprise linux desktop
6.0
redhat
enterprise linux eus
6.7
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the V8 Array.concat type-handling flaw before exploitation can occur.

SC-18 Mobile Code partial match
prevent

Allows definition of usage restrictions and implementation guidance for JavaScript (mobile code) that can block or sandbox the crafted concat operations used in the attack.

prevent

Implements memory-access safeguards that can contain or block the out-of-bounds read resulting from the V8 type-handling error.

References