CVE-2016-5218

medium

Published 2017-01-19 · Modified 2026-05-13

CVSS v3

6.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v2

4.3

VIR risk

6.5

Description

The extensions API in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly handled navigation within PDFs, which allowed a remote attacker to temporarily spoof the contents of the Omnibox (URL bar) via a crafted HTML page containing PDF data.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-201612-3

OS impact

OS	Version	Status	Fixed in
arch		fixed	`55.0.2883.75-1`

Application impact

Vendor	Product	Versions	Fixed
google	chrome	`{"endIncluding":"54.0.2840.99"}`

References

https://security.archlinux.org/ASA-201612-3
http://rhn.redhat.com/errata/RHSA-2016-2919.html
http://www.securityfocus.com/bid/94633
https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop.html
https://crbug.com/660498
https://security.gentoo.org/glsa/201612-11

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.