← back
CVE-2023-5217

CVE-2023-5217

CVSS 8.8 HIGHEPSS 34.4%● KEVCWE-787
In short

A flaw in video encoding software (VP8 in libvpx) allowed attackers to corrupt computer memory by sending a specially crafted web page. This could lead to crashes or potentially allow malicious code execution.

Technical detail

Heap buffer overflow in VP8 encoder within libvpx affects Google Chrome versions prior to 117.0.5938.132 and libvpx versions before 1.13.1. Remote attacker can trigger heap corruption through a malicious HTML page, potentially enabling arbitrary code execution or denial of service.

Summary generated and translated by AI from the official description.
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Google · ChromeGoogle · libvpx
public PoCs found3
githubgithub.com/UT-Security/cve-2023-5217-poc16githubgithub.com/Trinadh465/platform_external_libvpx_v1.8.0_CVE-2023-52170githubgithub.com/Trinadh465/platform_external_libvpx_v1.4.0_CVE-2023-52170
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/https://bugzilla.redhat.com/show_bug.cgi?id=2241191https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.htmlhttps://crbug.com/1486441http://seclists.org/fulldisclosure/2023/Oct/12http://seclists.org/fulldisclosure/2023/Oct/16https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282https://github.com/webmproject/libvpx/releases/tag/v1.13.1https://github.com/webmproject/libvpx/tagshttps://lists.debian.org/debian-lts-announce/2023/09/msg00038.htmlhttps://lists.debian.org/debian-lts-announce/2023/10/msg00001.html