CVE-2016-9651

high-risk

Published 2019-01-09

A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Do I need to act?

52.7% chance of exploitation in next 30 days

EPSS score — higher than 47% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

42175

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (4)

Chrome

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Affected Vendors

Redhat Google

References (12)

http://rhn.redhat.com/errata/RHSA-2016-2919.html

http://www.securityfocus.com/bid/94633

https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop....

https://crbug.com/664411

https://security.gentoo.org/glsa/201612-11

https://www.exploit-db.com/exploits/42175/

http://rhn.redhat.com/errata/RHSA-2016-2919.html

http://www.securityfocus.com/bid/94633

https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop....

https://crbug.com/664411

https://security.gentoo.org/glsa/201612-11

https://www.exploit-db.com/exploits/42175/

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 18/34 · Moderate

Exposure 10/34 · Low