Google Chromium libvpx Heap Buffer Overflow Vulnerability

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-5217
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-09-28 16:15:00 UTC
Updated2024-02-02 18:22:00 UTC
DescriptionHeap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Risk And Classification

EPSS: 0.049000000 probability, percentile 0.895590000 (date 2026-04-01)

CISA KEV: Listed on 2023-10-02; due 2023-10-23; ransomware use Unknown

Problem Types: CWE-787

CISA Known Exploited Vulnerability

VendorGoogle
ProductChromium libvpx
NameGoogle Chromium libvpx Heap Buffer Overflow Vulnerability
Required ActionApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Noteshttps://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html; https://nvd.nist.gov/vuln/detail/CVE-2023-5217

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Apple Ipad Os All All All All
Operating System Apple Ipad Os 16.7 All All All
Operating System Apple Iphone Os All All All All
Operating System Apple Iphone Os 16.7 All All All
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 11.0 All All All
Operating System Debian Debian Linux 12.0 All All All
Operating System Fedoraproject Fedora 37 All All All
Operating System Fedoraproject Fedora 38 All All All
Operating System Fedoraproject Fedora 39 All All All
Application Google Chrome All All All All
Application Microsoft Edge 116.0.1938.98 All All All
Application Microsoft Edge 117.0.2045.47 All All All
Application Microsoft Edge Chromium 116.0.5845.229 All All All
Application Microsoft Edge Chromium 117.0.5938.132 All All All
Application Mozilla Firefox All All All All
Application Mozilla Firefox All All All All
Application Mozilla Firefox All All All All
Application Mozilla Firefox All All All All
Application Mozilla Firefox Esr All All All All
Application Mozilla Firefox Esr All All All All
Application Mozilla Firefox Focus All All All All
Application Mozilla Firefox Focus All All All All
Application Mozilla Thunderbird All All All All
Application Webmproject Libvpx All All All All
Application Webmproject Libvpx 1.13.1 All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 37 Update: libvpx-1.12.0-4.fc37 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
2241191 – (CVE-2023-5217) CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx MISC bugzilla.redhat.com
1486441 - chromium - An open-source project to help move the web forward. - Monorail MISC crbug.com
oss-security - Re: Haskell programs in distributions (was: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx)) MISC www.openwall.com
[SECURITY] Fedora 39 Update: firefox-118.0.1-4.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
oss-security - Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) MISC www.openwall.com
[SECURITY] [DLA 3601-1] thunderbird security update MISC lists.debian.org
Debian -- Security Information -- DSA-5508-1 chromium MISC www.debian.org
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
[SECURITY] [DLA 3591-1] firefox-esr security update MISC lists.debian.org
Chrome Releases: Stable Channel Update for Desktop MISC chromereleases.googleblog.com
Maddie Stone on X: ".@_clem1 discovered another ITW 0-day in use by a commercial surveillance vendor: CVE-2023-5217. Thank you to Chrome for releasing a patch in TWO ????day!! https://t.co/QhzJonwLXi" / X MISC twitter.com
oss-security - Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) MISC www.openwall.com
Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, Firefox Focus for Android 118.1.0, and Thunderbird 115.3.1. — Mozilla MISC www.mozilla.org
CVE-2023-5217 MISC security-tracker.debian.org
Full Disclosure: APPLE-SA-10-10-2023-1 iOS 16.7.1 and iPadOS 16.7.1 MISC seclists.org
Debian -- Security Information -- DSA-5509-1 firefox-esr MISC www.debian.org
oss-security - Wuffs (was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) MISC www.openwall.com
oss-security - CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
VP8: disallow thread count changes · webmproject/libvpx@3fbd1dc · GitHub MISC github.com
oss-security - Re: Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
[SECURITY] [DLA 3598-1] libvpx security update MISC lists.debian.org
oss-security - Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) MISC www.openwall.com
oss-security - Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) MISC www.openwall.com
Full Disclosure: APPLE-SA-2023-10-04-1 iOS 17.0.3 and iPadOS 17.0.3 MISC seclists.org
[SECURITY] Fedora 39 Update: libvpx-1.13.0-5.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
support.apple.com/kb/HT213972 support.apple.com Third Party Advisory
libvpx: Multiple Vulnerabilities (GLSA 202310-04) — Gentoo security MISC security.gentoo.org
Google discloses a WebM VP8 bug, tracked as CVE-2023-5217 MISC stackdiary.com
oss-security - Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) MISC www.openwall.com
[SECURITY] Fedora 37 Update: chromium-117.0.5938.132-1.fc37 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
Tags · webmproject/libvpx · GitHub MISC github.com
Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities (GLSA 202401-34) — Gentoo security security.gentoo.org Third Party Advisory
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
oss-security - Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) MISC www.openwall.com
Ubuntu packages that depend on libvpx7 - Pastebin.com MISC pastebin.com
oss-security - CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
[SECURITY] Fedora 38 Update: chromium-117.0.5938.132-2.fc38 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
[SECURITY] Fedora 38 Update: libvpx-1.13.0-5.fc38 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
support.apple.com/kb/HT213961 support.apple.com Third Party Advisory
oss-security - Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx MISC www.openwall.com
Debian -- Security Information -- DSA-5510-1 libvpx MISC www.debian.org
A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day | Ars Technica MISC arstechnica.com
[SECURITY] Fedora 39 Update: chromium-117.0.5938.132-2.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
encode_api_test: add ConfigResizeChangeThreadCount · webmproject/libvpx@af6dedd · GitHub MISC github.com
Release v1.13.1: libvpx 1.13.1 · webmproject/libvpx · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
CISA Known Exploited Vulnerabilities catalog CISA www.cisa.gov kev

Legacy QID Mappings

  • 160952 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-5435)
  • 160954 Oracle Enterprise Linux Security Update for firefox (ELSA-2023-5434)
  • 160959 Oracle Enterprise Linux Security Update for firefox (ELSA-2023-5433)
  • 160961 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-5428)
  • 160966 Oracle Enterprise Linux Security Update for libvpx (ELSA-2023-5537)
  • 160970 Oracle Enterprise Linux Security Update for libvpx (ELSA-2023-5539)
  • 160972 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-5475)
  • 160976 Oracle Enterprise Linux Security Update for firefox (ELSA-2023-5477)
  • 199793 Ubuntu Security Notification for libvpx Vulnerabilities (USN-6403-1)
  • 199794 Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-6405-1)
  • 199795 Ubuntu Security Notification for Firefox Vulnerabilities (USN-6404-1)
  • 199850 Ubuntu Security Notification for libvpx Vulnerabilities (USN-6403-2)
  • 199885 Ubuntu Security Notification for libvpx Vulnerabilities (USN-6403-3)
  • 242088 Red Hat Update for thunderbird (RHSA-2023:5429)
  • 242089 Red Hat Update for thunderbird (RHSA-2023:5438)
  • 242090 Red Hat Update for firefox (RHSA-2023:5433)
  • 242091 Red Hat Update for thunderbird (RHSA-2023:5435)
  • 242092 Red Hat Update for firefox (RHSA-2023:5427)
  • 242093 Red Hat Update for firefox (RHSA-2023:5437)
  • 242094 Red Hat Update for thunderbird (RHSA-2023:5439)
  • 242095 Red Hat Update for thunderbird (RHSA-2023:5430)
  • 242096 Red Hat Update for firefox (RHSA-2023:5436)
  • 242097 Red Hat Update for firefox (RHSA-2023:5434)
  • 242098 Red Hat Update for firefox (RHSA-2023:5426)
  • 242099 Red Hat Update for thunderbird (RHSA-2023:5432)
  • 242100 Red Hat Update for firefox (RHSA-2023:5440)
  • 242101 Red Hat Update for thunderbird (RHSA-2023:5428)
  • 242108 Red Hat Update for thunderbird (RHSA-2023:5475)
  • 242115 Red Hat Update for firefox (RHSA-2023:5477)
  • 242128 Red Hat Update for libvpx (RHSA-2023:5535)
  • 242129 Red Hat Update for libvpx (RHSA-2023:5534)
  • 242135 Red Hat Update for libvpx (RHSA-2023:5536)
  • 242136 Red Hat Update for libvpx (RHSA-2023:5538)
  • 242137 Red Hat Update for libvpx (RHSA-2023:5537)
  • 242138 Red Hat Update for libvpx (RHSA-2023:5539)
  • 242139 Red Hat Update for libvpx (RHSA-2023:5540)
  • 284561 Fedora Security Update for libvpx (FEDORA-2023-c896cf87db)
  • 284562 Fedora Security Update for chromium (FEDORA-2023-d66a01ad4f)
  • 284563 Fedora Security Update for chromium (FEDORA-2023-0cd03c3746)
  • 284655 Fedora Security Update for libvpx (FEDORA-2023-f696934fbf)
  • 285220 Fedora Security Update for firefox (FEDORA-2023-bbb8d72c6f)
  • 285232 Fedora Security Update for chromium (FEDORA-2023-c890266d3f)
  • 285234 Fedora Security Update for libvpx (FEDORA-2023-10ff82e497)
  • 296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
  • 378905 Google Chrome Prior to 117.0.5938.132 Multiple Vulnerabilities
  • 378906 Mozilla Firefox Multiple Vulnerabilities (MFSA2023-44)
  • 378907 Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2023-44)
  • 378911 Microsoft Edge Based on Chromium Prior to 116.0.1938.98/117.0.2045.47 Multiple Vulnerabilities
  • 378965 Alibaba Cloud Linux Security Update for libvpx (ALINUX3-SA-2023:0129)
  • 503357 Alpine Linux Security Update for libvpx
  • 503359 Alpine Linux Security Update for libvpx
  • 503394 Alpine Linux Security Update for qt5-qtwebengine
  • 503463 Alpine Linux Security Update for firefox-esr
  • 503480 Alpine Linux Security Update for qt5-qtwebengine
  • 506071 Alpine Linux Security Update for firefox-esr
  • 506113 Alpine Linux Security Update for libvpx
  • 506203 Alpine Linux Security Update for qt5-qtwebengine
  • 6000063 Debian Security Update for firefox-esr (DLA 3591-1)
  • 6000145 Debian Security Update for thunderbird (DLA 3601-1)
  • 6000146 Debian Security Update for libvpx (DLA 3598-1)
  • 6000187 Debian Security Update for chromium (DSA 5508-1)
  • 6000197 Debian Security Update for libvpx (DSA 5510-1)
  • 6000206 Debian Security Update for thunderbird (DSA 5513-1)
  • 6000242 Debian Security Update for firefox-esr (DSA 5509-1)
  • 610511 Apple iOS 17.0.3 and iPadOS 17.0.3 Security Update Missing
  • 610524 Apple iOS 16.7.1 and iPadOS 16.7.1 Security Update Missing (HT213972)
  • 673948 EulerOS Security Update for libvpx (EulerOS-SA-2024-1279)
  • 691310 Free Berkeley Software Distribution (FreeBSD) Security Update for electron{22,24,25} (2bcd6ba4-d8e2-42e5-9033-b50b722821fb)
  • 691312 Free Berkeley Software Distribution (FreeBSD) Security Update for chromium (6d9c6aae-5eb1-11ee-8290-a8a1599412c6)
  • 710763 Gentoo Linux libvpx Multiple Vulnerabilities (GLSA 202310-04)
  • 710849 Gentoo Linux Chromium, Google Chrome, Microsoft Edge Multiple Vulnerabilities (GLSA 202401-34)
  • 755012 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:3941-1)
  • 755013 SUSE Enterprise Linux Security Update for libvpx (SUSE-SU-2023:3940-1)
  • 755018 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:3950-1)
  • 755019 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:3949-1)
  • 755020 SUSE Enterprise Linux Security Update for libvpx (SUSE-SU-2023:3948-1)
  • 755022 SUSE Enterprise Linux Security Update for libvpx (SUSE-SU-2023:3946-1)
  • 755053 SUSE Enterprise Linux Security Update for MozillaThunderbird (SUSE-SU-2023:4016-1)
  • 755067 OpenSUSE Security Update for opera (openSUSE-SU-2023:0297-1)
  • 755068 OpenSUSE Security Update for opera (openSUSE-SU-2023:0298-1)
  • 941287 AlmaLinux Security Update for thunderbird (ALSA-2023:5435)
  • 941288 AlmaLinux Security Update for firefox (ALSA-2023:5434)
  • 941289 AlmaLinux Security Update for libvpx (ALSA-2023:5537)
  • 941290 AlmaLinux Security Update for libvpx (ALSA-2023:5539)
  • 961025 Rocky Linux Security Update for thunderbird (RLSA-2023:5428)
  • 961027 Rocky Linux Security Update for thunderbird (RLSA-2023:5435)
  • 995519 NodeJs (Npm) Security Update for electron (GHSA-qqvq-6xgj-jw8g)
  • 995520 DotNet (Nuget) Security Update for CefSharp.Common (GHSA-4c29-gfrp-g6x9)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report