Search for vulnerabilities
Vulnerability details: VCID-sv4z-91cr-27bx
Vulnerability ID VCID-sv4z-91cr-27bx
Aliases CVE-2016-9651
Summary A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-94 Improper Control of Generation of Code ('Code Injection')
System Score Found at
cvssv3 8.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9651.json
epss 0.53947 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.53947 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
epss 0.56491 https://api.first.org/data/v1/epss?cve=CVE-2016-9651
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2016-9651
cvssv3 8.8 https://nvd.nist.gov/vuln/detail/CVE-2016-9651
archlinux High https://security.archlinux.org/AVG-162
archlinux Critical https://security.archlinux.org/AVG-93
Reference id Reference type URL
http://rhn.redhat.com/errata/RHSA-2016-2919.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9651.json
https://api.first.org/data/v1/epss?cve=CVE-2016-9651
https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop.html
https://crbug.com/664411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5185
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5187
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5189
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5192
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5193
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5194
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5198
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5205
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5208
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5216
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5226
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9652
https://security.gentoo.org/glsa/201612-11
https://www.exploit-db.com/exploits/42175/
http://www.securityfocus.com/bid/94633
1400850 https://bugzilla.redhat.com/show_bug.cgi?id=1400850
ASA-201612-3 https://security.archlinux.org/ASA-201612-3
ASA-201702-2 https://security.archlinux.org/ASA-201702-2
AVG-162 https://security.archlinux.org/AVG-162
AVG-93 https://security.archlinux.org/AVG-93
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
CVE-2016-9651 Exploit https://github.com/secmob/pwnfest2016/
CVE-2016-9651 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/android/remote/42175.html
CVE-2016-9651 https://nvd.nist.gov/vuln/detail/CVE-2016-9651
RHSA-2016:2919 https://access.redhat.com/errata/RHSA-2016:2919
USN-3153-1 https://usn.ubuntu.com/3153-1/
Data source Exploit-DB
Date added June 14, 2017
Description Google Chrome - V8 Private Property Arbitrary Code Execution
Ransomware campaign use Unknown
Source publication date June 14, 2017
Exploit type remote
Platform android
Source update date June 14, 2017
Source URL https://github.com/secmob/pwnfest2016/
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9651.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2016-9651
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-9651
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.979
EPSS Score 0.53947
Published At Aug. 14, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:41:41.816078+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/3153-1/ 37.0.0