Heap Buffer Overflow in libvpx in Google Chrome
CVE-2023-5217

8.8HIGH

Key Information:

Vendor

Google
Status
Chrome
Libvpx
Vendor
CVE Published:
28 September 2023

Badges

👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2023-5217?

A heap buffer overflow vulnerability in the VP8 encoding process of libvpx, utilized by Google Chrome, enables remote attackers to potentially corrupt heap memory. This can be achieved by enticing a user to view a specially crafted HTML page, which may lead to arbitrary code execution or system crashes. Users are urged to update their browsers to the latest versions to mitigate the risk of exploitation.

CISA has reported CVE-2023-5217

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-5217 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Chrome 117.0.5938.132

libvpx 1.13.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2023-5217-poc
Created by UT-Security

platform_external_libvpx_v1.8.0_CVE-2023-5217
Created by Trinadh465

platform_external_libvpx_v1.4.0_CVE-2023-5217
Created by Trinadh465

News Articles

favicon imageSC Magazine

Google releases emergency patches for eighth Chrome zero-day of 2023

Security pros say while it’s unfortunate Google found another zero-day, the company released a patch within a day.

favicon imageThe Hacker News

Update Chrome Now: Google Releases Patch for Actively Exploited Zero-Day Vulnerability

Google has released a Chrome update to patch a new high-severity zero-day vulnerability (CVE-2023-5217) that is being exploited in the wild.

favicon imageBleepingComputer

Microsoft Edge, Teams get fixes for zero-days in open-source libraries

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products.

References

https://chromereleases.googleblog.com/2023/09/stable-chan...
https://crbug.com/1486441
http://www.openwall.com/lists/oss-security/2023/09/28/5

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.