LiveActive security incident?Get immediate response
CVE Record

CVE-2017-5070: Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 f...

Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

HighCVSS 8.8Known exploitedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2017-5070 is a Google Chrome V8 memory safety issue that could let an attacker run code when a user visits a crafted HTML page. It is old, but CISA lists it as known exploited, so any remaining legacy Chrome installations should be treated as urgent cleanup.

Executive priority

Prioritize remediation where legacy Chrome remains in use. The issue is old, but known exploitation makes it a governance and hygiene risk for unmanaged endpoints, kiosks, and unsupported systems.

Technical view

The issue is a CWE-843 type confusion flaw in V8 affecting Chrome before 59.0.3071.86 on Linux, Windows, and Mac, and before 59.0.3071.92 on Android. The CVE states remote arbitrary code execution occurs inside the browser sandbox via crafted HTML, with user interaction required.

Likely exposure

Exposure is most likely on unmanaged, legacy, kiosk, embedded, or Android devices running Chrome below the fixed versions. Fully updated Chrome installations are not indicated as affected by the provided sources.

Exploitation context

CISA KEV status supports known exploitation. The supplied sources do not provide campaign details, exploit availability, or whether exploitation required chaining with a sandbox escape. The CVSS vector indicates network delivery, low complexity, no privileges, and user interaction required.

Researcher notes

Evidence supports V8 type confusion with arbitrary code execution inside the sandbox. The bundle does not establish a sandbox escape, active campaign details, or exploit-chain requirements. Treat exploitation claims as limited to CISA KEV confirmation.

Mitigation direction

  • Upgrade Chrome to the fixed version or a current supported release.
  • Identify unmanaged endpoints running obsolete Chrome or Chromium-based packages.
  • Apply relevant Linux distribution security updates, including Red Hat or Gentoo advisories where applicable.
  • Prioritize legacy browsers used for email, web browsing, kiosks, and administrative workstations.
  • Check current vendor guidance for any platform-specific remediation details.

Validation and detection

  • Inventory Chrome versions across desktop, Linux, Mac, Windows, and Android fleets.
  • Confirm no Chrome versions remain below 59.0.3071.86 on desktop platforms.
  • Confirm Android Chrome is not below 59.0.3071.92.
  • Review package manager records for applicable Red Hat or Gentoo security updates.
  • Track this CVE in vulnerability management because it is listed in CISA KEV.
Prepared
Confidence
high
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-843: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2017-5070 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
6Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H2.85.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

8.8High
CVSS 3.1 vector shape for CVE-2017-5070Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/aGoogle Chrome prior to 59.0.3071.86 for Linux, Windows and Mac, and 59.0.3071.92 for AndroidGoogle Chrome prior to 59.0.3071.86 for Linux, Windows and Mac, and 59.0.3071.92 for AndroidListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-843 · source CWE mapping

Access of Resource Using Incompatible Type ('Type Confusion')

Access of Resource Using Incompatible Type ('Type Confusion') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.