⚠ Actively exploited

Added to CISA KEV on 2022-06-08. Federal agencies required to patch by 2022-06-22. Required action: Apply updates per vendor instructions..

CVE-2016-5198 — Out-of-bounds Read in Google Chrome

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write15 documents9 sources

Severity

8.8HIGHNVD

EPSS

77.9%

top 0.99%

CISA KEV

KEV

Added 2022-06-08

Due 2022-06-22

Exploit

Exploited in wild

Active exploitation observed

Affected products

Google Chrome Redhat Enterprise Linux Desktop Redhat Enterprise Linux Server +1 more

Timeline

PublishedJan 19

KEV addedJun 8

KEV dueJun 22

Latest updateDec 5

CISA Required Action: Apply updates per vendor instructions.

Description

V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac included incorrect optimisation assumptions, which allowed a remote attacker to perform arbitrary read/write operations, leading to code execution, via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDgoogle/chrome< 54.0.2840.90+2

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDredhat/enterprise_linux_workstation6.0

🔴Vulnerability Details

GHSA

GHSA-cpfm-2p8w-wrxc: V8 in Google Chrome prior to 54↗2022-05-14

▶

OSV

oxide-qt vulnerabilities↗2016-12-01

▶

OSV

CVE-2016-5198: V8 in Google Chrome prior to 54↗2016-11-08

▶

VulnCheck

Google Chromium V8 Out-of-Bounds Memory Vulnerability↗2016

▶

📋Vendor Advisories

CISA

Google Chromium V8 Out-of-Bounds Memory Vulnerability↗2022-06-08

▶

Ubuntu

Oxide vulnerabilities↗2016-12-01

▶

Red Hat

chromium-browser: out of bounds memory access in v8↗2016-11-01

▶