CVE-2016-5161 in Chrome
Summary
by MITRE
The EditingStyle::mergeStyle function in WebKit/Source/core/editing/EditingStyle.cpp in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, mishandles custom properties, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site that leverages "type confusion" in the StylePropertySerializer class.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/14/2022
The vulnerability identified as CVE-2016-5161 resides within the WebKit rendering engine's Blink component that powers Google Chrome browser implementations across multiple operating systems. This flaw specifically targets the EditingStyle::mergeStyle function located in WebKit/Source/core/editing/EditingStyle.cpp, which serves as a critical component in handling HTML content editing operations within web browsers. The vulnerability manifests when the browser processes custom CSS properties through the style merging mechanism, creating a dangerous condition that can be exploited by malicious web content.
The technical exploitation of this vulnerability stems from a type confusion issue within the StylePropertySerializer class that handles the serialization of CSS properties during editing operations. When custom CSS properties are processed through the mergeStyle function, the system fails to properly validate or handle the data types of these properties, leading to a scenario where the application incorrectly interprets memory contents. This type confusion allows attackers to manipulate the memory layout of the browser process, potentially leading to arbitrary code execution or system instability. The vulnerability is particularly concerning because it operates at the core editing layer of the browser, where user interactions with HTML content are processed.
The operational impact of CVE-2016-5161 extends beyond simple denial of service conditions, as the underlying type confusion can potentially enable more sophisticated attacks. Remote attackers can craft malicious web pages that, when loaded in affected browser versions, trigger the vulnerable code path and cause the browser to crash or behave unpredictably. The vulnerability affects multiple platforms including Windows, macOS, and Linux versions of Google Chrome, making it a widespread concern for users across different operating environments. According to CWE standards, this vulnerability maps to CWE-466, which describes "Use of Offset after Fixed Size Buffer" and CWE-471, which covers "Modification of Externally-Controlled Data Structure," both of which are relevant to the type confusion and memory handling issues present in the affected code.
The attack vector for this vulnerability requires a victim to visit a malicious website that contains specially crafted HTML and CSS content designed to trigger the specific code path in the EditingStyle::mergeStyle function. This aligns with ATT&CK framework technique T1059.003, which covers "Command and Scripting Interpreter: Windows Command Shell," as the vulnerability can be leveraged to execute arbitrary code through browser-based attacks. The exploitation process involves creating custom CSS properties that, when processed by the vulnerable mergeStyle function, cause the browser to misinterpret memory contents and potentially execute unintended operations. The vulnerability's impact ranges from denial of service conditions that force browser crashes to more severe scenarios where attackers might achieve remote code execution capabilities.
Mitigation strategies for CVE-2016-5161 primarily involve updating to patched versions of Google Chrome where the vulnerability has been addressed through proper type validation and memory handling in the affected functions. Users should immediately upgrade to Chrome versions 53.0.2785.89 for Windows and OS X, and 53.0.2785.92 for Linux, as these releases contain the necessary fixes for the type confusion issue in the StylePropertySerializer class. Security administrators should also implement browser hardening measures including restricting access to potentially malicious websites and monitoring for unusual browser behavior that might indicate exploitation attempts. The fix implemented in the patched versions addresses the root cause by ensuring proper validation of CSS property types during the mergeStyle operations and prevents the type confusion that allowed attackers to manipulate memory contents through crafted custom properties.