CVE-2016-1643

Vulnerability

The vulnerability resides in the Blink rendering engine, used by Google Chrome before version 49.0.2623.87. The ImageInputType::ensurePrimaryContent function in third_party/WebKit/Source/core/html/forms/ImageInputType.cpp fails to properly recreate the user agent shadow DOM once a fallback shadow tree has been created. This occurs when the src attribute of an `` element is updated, leading to a type confusion condition [1].

Exploitation

An attacker can exploit this by crafting a webpage containing an ` element whose src` attribute is dynamically updated via script, triggering the recreation of the shadow tree without proper cleanup. The attacker does not require any authentication or special network position beyond serving the malicious page. User interaction (e.g., visiting the page) is sufficient [1][2].

Impact

Successful exploitation could cause a denial of service via renderer crash, or potentially lead to other unspecified impacts such as arbitrary code execution within the sandboxed render process, depending on how the type confusion is leveraged [2]. The CVSS v3 base score is 8.8 (High), reflecting the high potential impact.

Mitigation

The vulnerability is fixed in Chrome 49.0.2623.87. The fix ensures that ensurePrimaryContent recreates the UA shadow tree when needed [1]. Users should update to the latest Chrome version. For Ubuntu systems using the Oxide browser engine, the fix is included in USN-2920-1 [2]. No known workarounds exist; updating is recommended.