CVE-2016-5198
CVE-2016-5198
Vexday Risk Score
63High priority
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 8.8EPSS 34.7%KEV simPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
19 Jan 2017Published on NVD
08 Jun 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
V8 (Chrome's JavaScript engine) had a flaw in its optimization logic that allowed attackers to read and write arbitrary memory through a malicious website, potentially leading to complete control of your browser.
Technical detail
V8's optimization assumptions were incorrect, allowing out-of-bounds memory access (CWE-787) via crafted JavaScript in a web page. This enabled arbitrary read/write operations in the renderer process, facilitating code execution with renderer privileges.
Summary generated and translated by AI from the official description.
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac included incorrect optimisation assumptions, which allowed a remote attacker to perform arbitrary read/write operations, leading to code execution, via a crafted HTML page.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and MacWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://rhn.redhat.com/errata/RHSA-2016-2672.htmlhttps://chromereleases.googleblog.com/2016/11/stable-channel-update-for-desktop.htmlhttps://crbug.com/659475https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-5198http://www.securityfocus.com/bid/94079http://www.securitytracker.com/id/1037224