Cyber Resilience

CVE-2017-5070

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 27 October 2017

Published
27 October 2017
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7438 98.9th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-5070 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability is a type confusion flaw, assigned CWE-843, in the V8 JavaScript engine within Google Chrome versions prior to 59.0.3071.86 on Linux, Windows, and Mac, and 59.0.3071.92 on Android. It carries a CVSS 3.1 base score of 8.8 and permits a remote attacker to execute arbitrary code inside the renderer sandbox when a user visits a malicious page.

A remote attacker can exploit the issue by serving a crafted HTML page that triggers the type confusion during JavaScript execution. Successful exploitation yields arbitrary code execution within the Chrome sandbox, with the attack vector requiring user interaction such as navigating to the page but no prior authentication or privileges.

Chrome stable channel updates and corresponding Red Hat errata RHSA-2017:1399 address the flaw by advancing affected installations to the fixed versions listed above; additional vendor trackers including SecurityFocus BID 98861 and SecurityTracker 1038622 reference the same remediation.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 59.0.3071.86 · ≤ 59.0.3071.92
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the type-confusion flaw in V8.

SC-18 Mobile Code partial match
prevent

Provides policy and technical controls on the execution of mobile code (JavaScript) that is the attack vector for this V8 flaw.

preventdetect

Can block or detect malicious web content that attempts to trigger the type-confusion exploit before the browser processes it.

References