Google released security updates to address a new actively exploited zero-day vulnerability, tracked as CVE-2023-5217, in the Chrome browser.
Google on Wednesday released security updates to address a new actively exploited zero-day flaw in the Chrome browser which is tracked as CVE-2023-5217.
The CVE-2023-5217 is a high-severity heap buffer overflow that affects vp8 encoding in libvpx. The vulnerability was discovered by Clément Lecigne from Google’s Threat Analysis Group on 2023-09-25, a circumstance that suggests it was exploited by a nation-state actor or by a surveillance firm.
“High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-09-25″ reads the advisory published by Google. “Google is aware that an exploit for CVE-2023-5217 exists in the wild.”
Google TAG researcher Maddie Stone highlighted that the issue was addressed in only two days after the initial discovery, she also confirmed the exploitation by a commercial spyware vendor.
An attacker can trigger the flaw to cause the application to crash or to execute arbitrary code.
This is the fifth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are:
- CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library
- CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to address the zero-day.
Google also addressed this month the following vulnerabilities in the Chrome browser:
- [$TBD] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
- [$2000] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25
(SecurityAffairs – hacking, Chrome)