Pierluigi Paganini September 28, 2023

Google released security updates to address a new actively exploited zero-day vulnerability, tracked as CVE-2023-5217, in the Chrome browser.

Google on Wednesday released security updates to address a new actively exploited zero-day flaw in the Chrome browser which is tracked as CVE-2023-5217.

The CVE-2023-5217 is a high-severity heap buffer overflow that affects vp8 encoding in libvpx. The vulnerability was discovered by Clément Lecigne from Google’s Threat Analysis Group on 2023-09-25, a circumstance that suggests it was exploited by a nation-state actor or by a surveillance firm.

“High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-09-25″ reads the advisory published by Google. “Google is aware that an exploit for CVE-2023-5217 exists in the wild.”

Google TAG researcher Maddie Stone highlighted that the issue was addressed in only two days after the initial discovery, she also confirmed the exploitation by a commercial spyware vendor.

An attacker can trigger the flaw to cause the application to crash or to execute arbitrary code.

This is the fifth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are:

  • CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8
  • CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library
  • CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8
  • CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP

Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to address the zero-day.

Google also addressed this month the following vulnerabilities in the Chrome browser:

  • [$TBD][1478889] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
  • [$2000][1475798] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

you might also like

leave a comment