Yet another Chrome zero-day exploited in the wild! (CVE-2023-5217)

Google has fixed another critical zero-day vulnerability (CVE-2023-5217) in Chrome that is being exploited in the wild.


About CVE-2023-5217

The vulnerability is caused by a heap buffer overflow in vp8 encoding in libvpx – a video codec library from Google and the Alliance for Open Media (AOMedia).

CVE-2023-5217 has been fixed in Google Chrome 117.0.5938.132 for Windows, Mac and Linux users.

Google noted that the exploit for CVE-2023-5217 exists in the wild, so users are recommended to update as soon as possible.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said.

The vulnerability has been reported by Clément Lecigne of Google’s Threat Analysis Group on September 25. As noted by his colleague Maddie Stone, the flaw is being used by a commercial surveillance vendor.

In this latest update, Google has also resolved two other high-severity flaws reported by researchers:

  • CVE-2023-5186 – A use after free (UAF) vulnerability in Passwords
  • CVE-2023-5187 – A use after free (UAF) vulnerability in Extensions

Recently exploited zero-days

Earlier this month, Apple patched two zero-day vulnerabilities (CVE-2023-41064, CVE-2023-41061) chained and exploited to deliver NSO Group’s Pegasus spyware to high-risk targets.

CVE-2023-41064 – a buffer overflow vulnerability in the ImageI/O framework – turned out to be the effectively the same flaw as CVE-2023-4863 – a Chrome zero-day heap buffer overflow vulnerability in WebP, because the source of the vulnerability is the libwebp library both companies implemented.

Google has first created a new CVE ID for the flaw in libwebp (CVE-2023-5129), but it was soon rejected or withdrawn for being a duplicate of CVE-2023-4863.

UPDATE (September 29, 2023, 10:05 a.m. ET):

Mozilla has fixed CVE-2023-5217 in Firefox, Firefox ESR, Firefox for Android and Firefox Focus for Android.

Like libwebp, libvpx is a widely used library, so we can expect a flurry security updates in popular software to be released in the coming days.

UPDATE (October 2, 2023, 03:50 a.m. ET):

Libvpx v1.13.1, with fixes for CVE-2023-5217 and CVE-2023-44488 (an issue with VP9 in libvpx before 1.13.1 that can lead to a crash related to encoding), has been released.

Don't miss