⚠ Actively exploited

Added to CISA KEV on 2023-10-02. Federal agencies required to patch by 2023-10-23. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-5217

CWE-787 — Out-of-bounds Write CWE-119 — Buffer Overflow31 documents17 sources

Severity

8.8HIGH

EPSS

3.6%

top 12.27%

CISA KEV

KEV

Added 2023-10-02

Due 2023-10-23

Exploit

Exploited in wild

Active exploitation observed

Affected products

Google Chrome Google Libvpx Apple Ipados +9 more

Timeline

PublishedSep 28

KEV addedOct 2

KEV dueOct 23

Latest updateDec 18

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages17 packages

▶CVEListV5google/libvpx1.13.1 — 1.13.1

▶CVEListV5google/chrome117.0.5938.132 — 117.0.5938.132

▶NVDgoogle/chrome< 117.0.5938.132

▶NVDwebmproject/libvpx< 1.13.1

▶Debianlibvpx< 1.9.0-1+deb11u1+3

Also affects: Debian Linux 10.0, 11.0, 12.0, Fedora 37, 38, 39, Enterprise Linux 9.0

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

CefSharp affected by libvpx's heap buffer overflow in vp8 encoding↗2023-10-05

▶

OSV

CefSharp affected by libvpx's heap buffer overflow in vp8 encoding↗2023-10-05

▶

GHSA

Electron affected by libvpx's heap buffer overflow in vp8 encoding↗2023-09-28

▶

CVEList

CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117↗2023-09-28

▶

OSV

CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117↗2023-09-28

▶

📋Vendor Advisories

Ubuntu

libvpx vulnerability↗2024-12-18

▶

Ubuntu

libvpx vulnerabilities↗2023-11-01

▶

Ubuntu

libvpx vulnerabilities↗2023-10-23

▶

Apple

CVE-2023-5217: iOS 16.7.1 and iPadOS 16.7.1↗2023-10-10

▶

Chrome

Long Term Support Channel Update for ChromeOS: CVE-2023-5217↗2023-10-06

▶

🕵️Threat Intelligence

Bleepingcomputer

Apple fixes iOS Kernel zero-day vulnerability on older iPhones↗2023-10-12

▶

Bleepingcomputer

Microsoft Edge, Teams get fixes for zero-days in open-source libraries↗2023-10-03

▶

Wiz

CVE-2023-4863 and CVE-2023-5217 Exploited in the Wild | Wiz Blog↗2023-10-01

▶

Wiz

CVE-2023-4863 and CVE-2023-5217 Exploited in the Wild | Wiz Blog↗2023-10-01

▶

Bleepingcomputer

Google fixes fifth actively exploited Chrome zero-day of 2023↗2023-09-27

▶