CVE-2016-5137
Description
Chrome before 52.0.2743.82 fails to match CSP insecure port policies to secure URLs, enabling HSTS-visit detection via CSP reports.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chrome before 52.0.2743.82 fails to match CSP insecure port policies to secure URLs, enabling HSTS-visit detection via CSP reports.
Vulnerability
The Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before version 52.0.2743.82, contains a flaw in the CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp. Specifically, the function does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs [1]. This occurs because the specification change that allowed insecure ports to match secure ports in source expressions (a refinement addressing a previous issue) was not fully implemented in this version [1].
Exploitation
A remote attacker can craft a malicious website that includes a CSP directive (e.g., report-uri) with an insecure port (80) for an HSTS-protected site. When a user visits the attacker's site, Chrome will compare the CSP policy to the user's browsing history or ongoing connections. If the user has previously visited an HSTS site on port 443, the CSP violation report triggered by the attacker's policy will differ from a scenario where no such visit occurred. This allows the attacker to infer whether the user has visited a specific HSTS-enabled website [1]. No authentication or privileged network position is required; the user must only visit the attacker's site.
Impact
Upon successful exploitation, the attacker gains the ability to determine whether a specific HSTS website has been visited by reading a CSP report [1]. This is an information disclosure that violates the user's privacy by revealing browsing history. The attacker does not gain code execution or modify data; the impact is limited to sensitive information disclosure (confidentiality breach).
Mitigation
The vulnerability is fixed in Google Chrome version 52.0.2743.82, released on July 20, 2016 [2]. Users should update Chrome to this version or later. The update was also distributed through Red Hat (RHSA-2016:1485) [2], Ubuntu (USN-3041-1) [3], and Gentoo (GLSA 201610-09) [4]. There is no workaround for unpatched versions; the only mitigation is to apply the security update.
[1]: https://codereview.chromium.org/2125873003 [2]: http://rhn.redhat.com/errata/RHSA-2016-1485.html [3]: http://www.ubuntu.com/usn/USN-3041-1 [4]: https://security.gentoo.org/glsa/201610-09
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- osv-coords2 versionspkg:rpm/opensuse/chromium&distro=openSUSE%20Tumbleweedpkg:rpm/suse/chromium&distro=SUSE%20Package%20Hub%2012
< 55.0.2883.75-3.1+ 1 more
- (no CPE)range: < 55.0.2883.75-3.1
- (no CPE)range: < 52.0.2743.82-89.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- googlechromereleases.blogspot.com/2016/07/stable-channel-update.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-07/msg00020.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-07/msg00021.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-07/msg00022.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-07/msg00028.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-1485.htmlnvd
- www.debian.org/security/2016/dsa-3637nvd
- www.securityfocus.com/bid/92053nvd
- www.securitytracker.com/id/1036428nvd
- www.ubuntu.com/usn/USN-3041-1nvd
- codereview.chromium.org/2125873003nvd
- crbug.com/625945nvd
- security.gentoo.org/glsa/201610-09nvd
News mentions
0No linked articles in our index yet.