Cyber Resilience

CVE-2023-5217

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 28 September 2023

Published
28 September 2023
Modified
24 October 2025
KEV Added
02 October 2023
Patch
28 September 2023
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0498 89.9th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5217 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 10.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A heap buffer overflow vulnerability exists in the VP8 encoding functionality of libvpx, affecting Google Chrome versions prior to 117.0.5938.132 as well as libvpx releases before 1.13.1. The flaw, assigned CWE-787, permits out-of-bounds writes that can corrupt heap memory when processing specially crafted input. It carries a CVSS 3.1 base score of 8.8 and was rated High severity by the Chromium project.

A remote attacker can trigger the issue by serving a crafted HTML page that causes the browser or any application using the vulnerable libvpx library to encode VP8 video. Successful exploitation may allow arbitrary code execution or other impacts affecting confidentiality, integrity, and availability, although user interaction is required to render the malicious page.

Public advisories on the referenced Openwall and Seclists lists confirm that the issue is resolved by updating Chrome to version 117.0.5938.132 or later and by upgrading libvpx to 1.13.1, which contains the corrected encoding logic.

The EPSS score for this CVE rose sharply from a low baseline to a peak of 0.7546 on 2025-01-02 before receding to the current value of 0.0498, indicating a period of heightened exploitation interest well after initial disclosure.

EU & UK References

Vulnerability details

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
02 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

webmproject
libvpx
≤ 1.13.1
microsoft
edge
116.0.1938.98, 117.0.2045.47
microsoft
edge chromium
116.0.5845.229, 117.0.5938.132
mozilla
firefox
≤ 115.3.1 · ≤ 118.0.1 · ≤ 118.1
mozilla
thunderbird
≤ 115.3.1
fedoraproject
fedora
37, 38, 39
debian
debian linux
10.0, 11.0, 12.0
apple
ipados
16.7 · 17.0 — 17.0.3
apple
iphone os
16.7 · 17.0 — 17.0.3
google
chrome
≤ 117.0.5938.132
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches such as the libvpx 1.13.1 / Chrome 117.0.5938.132 update that eliminates the VP8 heap buffer overflow.

prevent

Mandates memory-protection mechanisms that can block or contain heap-corruption exploits arising from the uncontrolled VP8 encoding buffer write.

prevent

Requires validation of untrusted input (crafted HTML/video data) before it reaches the vulnerable VP8 encoder, reducing the likelihood of triggering the overflow.

References