CVE-2016-1614

Vulnerability

The vulnerability resides in the UnacceleratedImageBufferSurface class in WebKit/Source/platform/graphics/UnacceleratedImageBufferSurface.cpp within Blink, used in Google Chrome before version 48.0.2564.82. The class mishandles the initialization mode, specifically inverting the condition for clearing the SkSurface: it clears the surface when told not to initialize image pixels, and vice versa [3]. This leads to uninitialized memory being exposed.

Exploitation

An attacker can craft a malicious website that triggers the vulnerable code path. No authentication or special network position is required; the victim simply needs to visit the site. The bug is triggered when the ImageBitmap constructor or similar operations use the UnacceleratedImageBufferSurface with an incorrect opacity mode, causing the surface to be cleared when it should retain data, or vice versa [3]. The exact sequence involves the browser rendering content that uses ImageBitmap with specific parameters.

Impact

Successful exploitation allows a remote attacker to obtain sensitive information from process memory, potentially including data from other websites or the system [1][2][4]. The impact is limited to information disclosure; no code execution or privilege escalation is indicated.

Mitigation

The fix was included in Google Chrome 48.0.2564.82, released on January 20, 2016 [1]. Users should update to this version or later. Red Hat Enterprise Linux and Ubuntu also released updated packages (e.g., RHSA-2016-0072, USN-2877-1) [1][2]. Gentoo recommends upgrading to Chromium 49.0.2623.87 [4]. No workaround is available; updating is the only mitigation.