CVE-2016-5198
Published: 19 January 2017
Summary
CVE-2016-5198 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an out-of-bounds write issue (CWE-787) stemming from incorrect optimisation assumptions in the V8 JavaScript engine. It affects Google Chrome versions prior to 54.0.2840.90 on Linux, 54.0.2840.85 on Android, and 54.0.2840.87 on Windows and Mac. The flaw permits arbitrary read and write operations when a victim visits a malicious page.
A remote attacker can exploit the issue by serving a crafted HTML page that triggers the optimisation error during JavaScript execution. Successful exploitation grants the attacker the ability to read or write arbitrary memory, which can be leveraged for remote code execution within the renderer process. The attack requires no user privileges beyond normal web browsing and is rated 8.8 under CVSS 3.1.
Vendor advisories, including the Chrome stable channel update and corresponding Red Hat, SecurityFocus, and SecurityTracker entries, direct users to upgrade to the fixed releases listed above. The Chromium bug tracker entry (crbug.com/659475) further confirms that the patch corrects the optimisation logic to eliminate the invalid memory access assumptions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-6149
Vulnerability details
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac included incorrect optimisation assumptions, which allowed a remote attacker to perform arbitrary read/write operations, leading to code execution, via a crafted…
more
HTML page.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that corrects the incorrect optimisation assumptions in V8, eliminating the out-of-bounds write before exploitation.
Enforces process isolation between the V8 renderer and the rest of the browser, limiting arbitrary read/write and code execution to the compromised renderer process only.
Requires memory-protection techniques such as ASLR/DEP that raise the difficulty of converting the V8 out-of-bounds write into reliable remote code execution.