CVE-2016-1646

CVE Database · CVE-2016-1646

CVE-2016-1646

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

45.30%

Published

Mar 29, 2016

Modified

Apr 21, 2026

CISA Known Exploited Vulnerability

Added: 2022-06-08 · Due: 2022-06-22

Apply updates per vendor instructions.

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, does not properly consider element data types, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted JavaScript code.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-125CWE-125

Affected Products (13)

debian · debian_linuxvulnerable

canonical · ubuntu_linuxvulnerable

google · chrome (up to 49.0.2623.108)vulnerable

suse · package_hubvulnerable

opensuse · leapvulnerable

opensuse · opensusevulnerable

redhat · enterprise_linux_desktopvulnerable