CVE-2016-1646 — Vulnetix

Try Vulnetix Request Demo

CVE-2016-1646 PUBLISHED KEV

The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, does not properly consider element data types, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted JavaScript code.

EPSS 66.51% · 98.5th percentile

Risk Scores

EPSS Score

66.51%

98.5th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:18.04:LTS	libv8-3.14	3.14.5.8-11ubuntu1, 0
Ubuntu:16.04:LTS	chromium-browser	0, 47.0.2526.73-0ubuntu1.1218, 45.0.2454.101-0ubuntu1.1201
Ubuntu:16.04:LTS	libv8-3.14	0, 3.14.5.8-5ubuntu2
Ubuntu:14.04:LTS	chromium-browser	40.0.2214.94-0ubuntu0.14.04.1.1068, 40.0.2214.111-0ubuntu0.14.04.1.1069, 41.0.2272.76-0ubuntu0.14.04.1.1076
Ubuntu:14.04:LTS	oxide-qt	1.9.1-0ubuntu0.14.04.2, 1.4.2-0ubuntu0.14.04.1, 1.4.3-0ubuntu0.14.04.1
Ubuntu:16.04:LTS	oxide-qt	1.11.3-0ubuntu3, 1.11.4-0ubuntu1, 1.11.5-0ubuntu1

Timeline

Mar 29, 2016 CVE Published
Sep 24, 2019 VulnCheck KEV Exploitation
Sep 25, 2019 PoC Published
Oct 9, 2020 PoC Published
Feb 4, 2022 EPSS Score
Jun 8, 2022 CISA KEV Added
Jun 14, 2023 PoC Published
Nov 8, 2023 EPSS Score
Dec 5, 2024 VulnCheck KEV Exploitation
Dec 17, 2024 EPSS Score
Dec 24, 2024 PoC Published
Feb 23, 2025 PoC Published

References

https://ubuntu.com/security/CVE-2016-1646 third-party-advisory
http://googlechromereleases.blogspot.com/2016/03/ third-party-advisory
https://ubuntu.com/security/notices/USN-2955-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2016-1646 third-party-advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog third-party-advisory

Open in Interactive Console →