CVE-2016-5146

Vulnerability

Multiple unspecified vulnerabilities exist in Google Chrome prior to version 52.0.2743.116. The official description states that these flaws allow attackers to cause a denial of service or possibly have other impact via unknown vectors [1]. The Red Hat advisory confirms that these vulnerabilities could be triggered by visiting a web page containing malicious content [1]. Affected versions include all Chrome builds before 52.0.2743.116.

Exploitation

An attacker would need to host a malicious web page and convince a victim to visit it. No further authentication or special network position is required beyond standard web access. The specific vectors are not fully disclosed, but the vulnerabilities reside in the browser's processing of web content, meaning user interaction (visiting a page) is the triggering action [1].

Impact

Successful exploitation can lead to denial of service (browser crash), arbitrary code execution in the context of the browser process, or disclosure of sensitive information [1][2]. The Red Hat advisory rates the overall impact as Important (CVSS 9.8). The Gentoo security advisory notes that arbitrary code execution could occur with the privileges of the Chrome process [2].

Mitigation

The fixed version is Google Chrome 52.0.2743.116, released on or around August 7, 2016. Updates are available via standard Chrome auto-update channels. Red Hat released updated chromium-browser packages for Red Hat Enterprise Linux 6 [1]. Gentoo recommends upgrading to version 54.0.2840.59 or later [2]. There is no known workaround for the vulnerabilities other than updating to the patched version.