Pierluigi Paganini
September 28, 2023
Google on Wednesday released security updates to address a new actively exploited zero-day flaw in the Chrome browser which is tracked as CVE-2023-5217.
The CVE-2023-5217 is a high-severity heap buffer overflow that affects vp8 encoding in libvpx. The vulnerability was discovered by Clément Lecigne from Google’s Threat Analysis Group on 2023-09-25, a circumstance that suggests it was exploited by a nation-state actor or by a surveillance firm.
“High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-09-25″ reads the advisory published by Google. “Google is aware that an exploit for CVE-2023-5217 exists in the wild.”
Google TAG researcher Maddie Stone highlighted that the issue was addressed in only two days after the initial discovery, she also confirmed the exploitation by a commercial spyware vendor.
.@_clem1 discovered another ITW 0-day in use by a commercial surveillance vendor: CVE-2023-5217. Thank you to Chrome for releasing a patch in TWO
— Maddie Stone (@maddiestone) September 27, 2023day!! https://t.co/QhzJonwLXi
An attacker can trigger the flaw to cause the application to crash or to execute arbitrary code.
This is the fifth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are:
Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to address the zero-day.
Google also addressed this month the following vulnerabilities in the Chrome browser:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Chrome)
