CVE-2023-5217
Published: 28 September 2023
Summary
CVE-2023-5217 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 10.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A heap buffer overflow vulnerability exists in the VP8 encoding functionality of libvpx, affecting Google Chrome versions prior to 117.0.5938.132 as well as libvpx releases before 1.13.1. The flaw, assigned CWE-787, permits out-of-bounds writes that can corrupt heap memory when processing specially crafted input. It carries a CVSS 3.1 base score of 8.8 and was rated High severity by the Chromium project.
A remote attacker can trigger the issue by serving a crafted HTML page that causes the browser or any application using the vulnerable libvpx library to encode VP8 video. Successful exploitation may allow arbitrary code execution or other impacts affecting confidentiality, integrity, and availability, although user interaction is required to render the malicious page.
Public advisories on the referenced Openwall and Seclists lists confirm that the issue is resolved by updating Chrome to version 117.0.5938.132 or later and by upgrading libvpx to 1.13.1, which contains the corrected encoding logic.
The EPSS score for this CVE rose sharply from a low baseline to a peak of 0.7546 on 2025-01-02 before receding to the current value of 0.0498, indicating a period of heightened exploitation interest well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2578
Vulnerability details
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 02 October 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of security-relevant patches such as the libvpx 1.13.1 / Chrome 117.0.5938.132 update that eliminates the VP8 heap buffer overflow.
Mandates memory-protection mechanisms that can block or contain heap-corruption exploits arising from the uncontrolled VP8 encoding buffer write.
Requires validation of untrusted input (crafted HTML/video data) before it reaches the vulnerable VP8 encoder, reducing the likelihood of triggering the overflow.