CVE-2017-5030
Published: 24 April 2017
Summary
CVE-2017-5030 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability is an out-of-bounds read (CWE-125) stemming from incorrect handling of complex species in the V8 JavaScript engine. It affects Google Chrome versions prior to 57.0.2987.98 on Linux, Windows, and Mac, and prior to 57.0.2987.108 on Android, and carries a CVSS 3.1 base score of 8.8.
A remote attacker can exploit the flaw by serving a specially crafted HTML page that triggers the mishandling in V8. Successful exploitation grants arbitrary code execution in the context of the renderer process, with the attack vector requiring user interaction such as visiting a malicious site.
Vendor advisories, including the Chrome stable channel update, Red Hat RHSA-2017-0499, and Debian DSA-3810, direct users to upgrade to the fixed releases listed above; the corresponding Chromium bug report (682194) provides additional technical detail on the patch. No information on observed in-the-wild exploitation is supplied in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-14139
Vulnerability details
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.2987.108 for Android allowed a remote attacker to execute arbitrary code via a crafted HTML page.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor-supplied patches (Chrome 57.0.2987.98/108) that correct the V8 out-of-bounds read.
Mandates input validation on untrusted data (crafted HTML/JS) before it reaches the V8 parser, addressing the root cause of the species-handling flaw.
Provides policy and technical controls over mobile code (JavaScript) execution in the browser, limiting exposure to the malicious HTML page that triggers the vulnerability.