CVE-2016-1636Google Chrome vulnerability

CWE-2647 documents6 sources
Severity
9.8CRITICALNVD
OSV8.8
EPSS
1.4%
top 19.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Chrome
Timeline
PublishedMar 6
Latest updateMay 17

Description

The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp in Google Chrome before 49.0.2623.75 relies on memory-cache information about integrity-check occurrences instead of integrity-check successes, which allows remote attackers to bypass the Subresource Integrity (aka SRI) protection mechanism by triggering two loads of the same resource.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDgoogle/chrome48.0.2564.116

🔴Vulnerability Details

3
GHSA
GHSA-ffvj-r26r-x2p8: The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript2022-05-17
OSV
oxide-qt vulnerabilities2016-03-10
OSV
CVE-2016-1636: The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript2016-03-05

📋Vendor Advisories

2
Ubuntu
Oxide vulnerabilities2016-03-10
Red Hat
chromium-browser: SRI Validation Bypass2016-03-02

💬Community

1
Bugzilla
CVE-2016-1636 chromium-browser: SRI Validation Bypass2016-03-03