High severity8.8NVD Advisory· Published Aug 7, 2016· Updated May 6, 2026

CVE-2016-5145

Description

Blink, as used in Google Chrome before 52.0.2743.116, does not ensure that a taint property is preserved after a structure-clone operation on an ImageBitmap object derived from a cross-origin image, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-desktop.htmlnvd
lists.opensuse.org/opensuse-security-announce/2016-08/msg00005.htmlnvd
lists.opensuse.org/opensuse-security-announce/2016-08/msg00006.htmlnvd
rhn.redhat.com/errata/RHSA-2016-1580.htmlnvd
www.securityfocus.com/bid/92276nvd
www.securitytracker.com/id/1036547nvd
codereview.chromium.org/2096313002nvd
codereview.chromium.org/2097393002nvd
codereview.chromium.org/2178513002nvd
crbug.com/623406nvd
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KMX62M7UNRLWO4FEQ6YIMPMTKXXJV6A/nvd
security.gentoo.org/glsa/201610-09nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000