CVE-2023-5217

Description

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

How to fix CVE-2023-5217

To remediate CVE-2023-5217, upgrade the affected package to a fixed version below.

• —upgrade to 117.0.5938.132-1~deb11u1 or later
• —upgrade to 115.3.1esr-1~deb10u1 or later
• —upgrade to 115.3.1esr-1~deb11u1 or later
• —upgrade to 115.3.1esr-1~deb11u1 or later
• —upgrade to 1.9.0-1+deb11u1 or later
• —upgrade to 1.9.0-1+deb11u1 or later
• —upgrade to 1:115.3.1-1~deb11u1 or later
• —upgrade to 22.3.25 or later

Is CVE-2023-5217 being exploited?

Yes — CVE-2023-5217 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (8)

• from 0, < 117.0.5938.132-1~deb11u1
• from 0, < 115.3.1esr-1~deb10u1
• from 0, < 115.3.1esr-1~deb11u1
• from 0, < 115.3.1esr-1~deb11u1
• from 0, < 1.9.0-1+deb11u1
• from 0, < 1.9.0-1+deb11u1
• from 0, < 1:115.3.1-1~deb11u1
• from 0, < 22.3.25

CVSS scores

References (64)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-5217
• PATCHgithub.com/electron/electron
• WEBarstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software
• WEBbugzilla.redhat.com/show_bug.cgi?id=2241191