CVE-2016-1646
Published: 29 March 2016
Summary
CVE-2016-1646 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability CVE-2016-1646 is an out-of-bounds read (CWE-125) in the Array.prototype.concat implementation within builtins.cc in Google V8, as used in Google Chrome before version 49.0.2623.108. The root cause is failure to properly account for element data types during array concatenation operations.
Remote attackers can exploit the issue by serving crafted JavaScript to a victim, triggering the flaw to cause a denial of service or potentially other unspecified impacts. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, no privileges or user interaction required beyond rendering the script, and high impact on confidentiality, integrity, and availability.
Public advisories and patches referenced in the Google Chrome stable channel update, multiple openSUSE security announcements, and Red Hat errata RHSA-2016-0525 address mitigation by updating affected V8 and Chrome installations to corrected versions. No information on observed in-the-wild exploitation is provided in the source details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-2741
Vulnerability details
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, does not properly consider element data types, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact…
more
via crafted JavaScript code.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that eliminates the V8 Array.concat type-handling flaw before exploitation can occur.
Allows definition of usage restrictions and implementation guidance for JavaScript (mobile code) that can block or sandbox the crafted concat operations used in the attack.
Implements memory-access safeguards that can contain or block the out-of-bounds read resulting from the V8 type-handling error.