Heap Buffer Overflow in libvpx in Google Chrome
CVE-2023-5217

8.8HIGH

Key Information:

Vendor
Google
Status
Chrome
Libvpx
Vendor
CVE Published:
28 September 2023

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐Ÿฆ… CISA Reported๐Ÿ“ฐ News Worthy

Summary

A heap buffer overflow vulnerability in the VP8 encoding process of libvpx, utilized by Google Chrome, enables remote attackers to potentially corrupt heap memory. This can be achieved by enticing a user to view a specially crafted HTML page, which may lead to arbitrary code execution or system crashes. Users are urged to update their browsers to the latest versions to mitigate the risk of exploitation.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Chrome 117.0.5938.132

libvpx 1.13.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2023-5217-poc
Created by UT-Security

platform_external_libvpx_v1.8.0_CVE-2023-5217
Created by Trinadh465

platform_external_libvpx_v1.4.0_CVE-2023-5217
Created by Trinadh465

News Articles

favicon imageSC Magazine

Google releases emergency patches for eighth Chrome zero-day of 2023

Security pros say while itโ€™s unfortunate Google found another zero-day, the company released a patch within a day.

favicon imageThe Hacker News

Update Chrome Now: Google Releases Patch for Actively Exploited Zero-Day Vulnerability

Google has released a Chrome update to patch a new high-severity zero-day vulnerability (CVE-2023-5217) that is being exploited in the wild.

favicon imageBleepingComputer

Microsoft Edge, Teams get fixes for zero-days in open-source libraries

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products.

References

https://chromereleases.googleblog.com/2023/09/stable-chan...
https://crbug.com/1486441
http://www.openwall.com/lists/oss-security/2023/09/28/5

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿฆ…

    CISA Reported

  • ๐Ÿ“ฐ

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.