Cyber Resilience

CVE-2017-5030

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 24 April 2017

Published
24 April 2017
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5031 97.9th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-5030 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability is an out-of-bounds read (CWE-125) stemming from incorrect handling of complex species in the V8 JavaScript engine. It affects Google Chrome versions prior to 57.0.2987.98 on Linux, Windows, and Mac, and prior to 57.0.2987.108 on Android, and carries a CVSS 3.1 base score of 8.8.

A remote attacker can exploit the flaw by serving a specially crafted HTML page that triggers the mishandling in V8. Successful exploitation grants arbitrary code execution in the context of the renderer process, with the attack vector requiring user interaction such as visiting a malicious site.

Vendor advisories, including the Chrome stable channel update, Red Hat RHSA-2017-0499, and Debian DSA-3810, direct users to upgrade to the fixed releases listed above; the corresponding Chromium bug report (682194) provides additional technical detail on the patch. No information on observed in-the-wild exploitation is supplied in the references.

EU & UK References

Vulnerability details

Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.2987.108 for Android allowed a remote attacker to execute arbitrary code via a crafted HTML page.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 57.0.2987.98 · ≤ 57.0.2987.108
debian
debian linux
8.0, 9.0
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor-supplied patches (Chrome 57.0.2987.98/108) that correct the V8 out-of-bounds read.

prevent

Mandates input validation on untrusted data (crafted HTML/JS) before it reaches the V8 parser, addressing the root cause of the species-handling flaw.

SC-18 Mobile Code partial match
prevent

Provides policy and technical controls over mobile code (JavaScript) execution in the browser, limiting exposure to the malicious HTML page that triggers the vulnerability.

References