CVE-2023-5217

Aliases:GHSA-qqvq-6xgj-jw8g

Advisory lineage Upstream: 0 Downstream: 60

Downstream

DEBIAN-CVE-2023-5217 DLA-3591-1 DLA-3598-1 DLA-3601-1 DSA-5508-1 DSA-5509-1

Analyzed

Published: 28 Sept 2023, 15:23

Last modified:21 Oct 2025, 23:05

Vulnerability Summary

Overall Risk (default)

medium

46/100

CVSS Score

8.8 HIGH

v3.1 (cve.org)

EPSS Score

4.9% LOW

5% probability +1.44%

KEV

Listed

CISA

1 listing

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

28 Sept 2023, 15:23

Published

Vulnerability first disclosed

02 Oct 2023, 00:00

Added to CISA KEV

Google Chromium libvpx Heap Buffer Overflow Vulnerability

23 Oct 2023, 00:00

CISA Remediation Due

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

21 Oct 2025, 23:05

Last Modified

Vulnerability information updated

Description

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 4.90%• Percentile: 90%

Techniques & Countermeasures

CWE-787•Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

apple•ipados
≥ 17.0, < 17.0.3 | 16.7
apple•iphone_os
≥ 17.0, < 17.0.3 | 16.7
debian•debian_linux
10.0 | 11.0 | 12.0
fedoraproject•fedora
37 | 38 | 39
Unknown•Chrome
< 117.0.5938.132 | ≥ 117.0.5938.132, < 117.0.5938.132
google•libvpx
≥ 1.13.1, < 1.13.1
Unknown•Edge
116.0.1938.98 | 117.0.2045.47
microsoft•edge_chromium
116.0.5845.229 | 117.0.5938.132
Unknown•Firefox
< 115.3.1 | < 118.0.1 | < 118.1
mozilla•thunderbird
< 115.3.1
Npm•electron
< 22.3.25 | ≥ 24.0.0, < 24.8.5 | ≥ 25.0.0, < 25.8.4 | ≥ 26.0.0, < 26.2.4 | ≥ 27.0.0-alpha.1, < 27.0.0-beta.8
redhat•enterprise_linux
9.0
webmproject•libvpx
< 1.13.1