Cyber Resilience

CVE-2016-5198

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 19 January 2017

Published
19 January 2017
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7866 99.1th percentile
Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-5198 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an out-of-bounds write issue (CWE-787) stemming from incorrect optimisation assumptions in the V8 JavaScript engine. It affects Google Chrome versions prior to 54.0.2840.90 on Linux, 54.0.2840.85 on Android, and 54.0.2840.87 on Windows and Mac. The flaw permits arbitrary read and write operations when a victim visits a malicious page.

A remote attacker can exploit the issue by serving a crafted HTML page that triggers the optimisation error during JavaScript execution. Successful exploitation grants the attacker the ability to read or write arbitrary memory, which can be leveraged for remote code execution within the renderer process. The attack requires no user privileges beyond normal web browsing and is rated 8.8 under CVSS 3.1.

Vendor advisories, including the Chrome stable channel update and corresponding Red Hat, SecurityFocus, and SecurityTracker entries, direct users to upgrade to the fixed releases listed above. The Chromium bug tracker entry (crbug.com/659475) further confirms that the patch corrects the optimisation logic to eliminate the invalid memory access assumptions.

EU & UK References

Vulnerability details

V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac included incorrect optimisation assumptions, which allowed a remote attacker to perform arbitrary read/write operations, leading to code execution, via a crafted…

more

HTML page.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 54.0.2840.90 · ≤ 54.0.2840.85 · ≤ 54.0.2840.87
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that corrects the incorrect optimisation assumptions in V8, eliminating the out-of-bounds write before exploitation.

prevent

Enforces process isolation between the V8 renderer and the rest of the browser, limiting arbitrary read/write and code execution to the compromised renderer process only.

prevent

Requires memory-protection techniques such as ASLR/DEP that raise the difficulty of converting the V8 out-of-bounds write into reliable remote code execution.

References