CVE-2023-5217
Description
Google Chromium libvpx contains a heap buffer overflow vulnerability in vp8 encoding that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could impact web browsers using libvpx, including but not limited to Google Chrome.
CISA KEV
- Vendor
- Product
- Chromium libvpx
- Due date
- 2023-10-23
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | thunderbird-115.3.1-1.el9_2.alma.x86_64.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 117.0.5938.132-1 |
| sid | Fixed | 117.0.5938.132-1 |
| forky | Fixed | 117.0.5938.132-1 |
| bullseye | Fixed | 117.0.5938.132-1~deb11u1 |
| bookworm | Fixed | 117.0.5938.132-1~deb12u1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
References
- https://errata.rockylinux.org/RLSA-2023:5537
- https://access.redhat.com/errata/RHSA-2023:5434
- https://access.redhat.com/errata/RHSA-2023:5435
- https://access.redhat.com/errata/RHSA-2023:5539
- https://bugzilla.redhat.com/2222652
- https://bugzilla.redhat.com/2240893
- https://bugzilla.redhat.com/2240894
- https://bugzilla.redhat.com/2240896
- https://bugzilla.redhat.com/2241191
- https://errata.almalinux.org/9/ALSA-2023-5435.html
- https://security-tracker.debian.org/tracker/CVE-2023-5217
- https://errata.rockylinux.org/RLSA-2023:5428
- https://www.suse.com/security/cve/CVE-2023-5217.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-5217
- https://github.com/electron/electron/pull/40022
- https://github.com/electron/electron/pull/40023
- https://github.com/electron/electron/pull/40024
- https://github.com/electron/electron/pull/40025
- https://github.com/electron/electron/pull/40026
- https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282
- https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.