Google on Wednesday released fixes to address a new zero-day actively used in the Chrome browser.
Tracked as CVE-2023-5217, the high-severity vulnerability is described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).
Exploitation of such buffer overflow flaws may result in program crash or execution of arbitrary code, affecting its availability and integrity.
Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 25, 2023, with fellow researcher Maddie Stone noting on X (formerly Twitter) that it has been abused by a commercial spyware vendor to target high-risk individuals.
No additional details have been revealed by the tech giant other than admitting that it is “aware that an exploit of CVE-2023-5217 exists in the wild.”
The latest discovery brings to five the number of zero-day vulnerabilities in Google Chrome for which patches have been released this year –
- CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
- CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
- CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
The development comes as Google assigned a new CVE identifier, CVE-2023-5129, to the critical flaw in the libwebp image library – originally tracked as CVE-2023-4863 – that has come under active exploitation in the wild, considering its broad attack surface.
Users are advised to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes when they become available.