SB2016100318 - Fedora 25 update for chromium
Published: October 3, 2016 Updated: April 24, 2025
Security Bulletin ID
SB2016100318
CSH Severity
High
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Arbitrary code execution (CVE-ID: CVE-2016-5177)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote user to cause arbitrary code execution on the target user's system.
The weakness exists due to use-after-free memory error in the V8 engine. By sending a specially crafted content and tricking the victim to upload it attackers can trigger the arbitrary code to be executed.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
2) Arbitrary code execution (CVE-ID: CVE-2016-5178)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote user to cause arbitrary code execution on the target user's system.
The weakness exists due to insufficient input validation. By sending a specially crafted content and tricking the victim to upload it attackers can trigger the arbitrary code to be executed.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Remediation
Install update from vendor's website.