CVE-2023-5217

What is libvpx?

libvpx is Google's open-source codec library for VP8 and VP9 video encoding and decoding. It is embedded in Google Chrome, Mozilla Firefox, Android, Electron-based applications, and many other software products that handle video content. VP8 is the video format used by WebRTC (real-time video calls in browsers) and widely used on the web. Because libvpx is embedded in browser renderer processes that directly handle untrusted web content, vulnerabilities in it are exploitable by visiting a malicious web page.

Overview

CVE-2023-5217 is a heap buffer overflow in libvpx's VP8 encoding implementation that allows a remote attacker to achieve code execution in the renderer process by delivering a specially crafted web page. Google disclosed it as an actively exploited zero-day on September 27, 2023, and Google's Threat Analysis Group (TAG) linked exploitation to commercial surveillance vendors targeting journalists and high-risk individuals. Firefox, Electron, and other libvpx consumers required separate patches.

Affected Versions

Technical Details

The vulnerability (CWE-787) is a heap buffer overflow in the VP8 encoding path within libvpx. During VP8 video encoding, the codec incorrectly calculates buffer bounds when processing certain video frame data, resulting in an out-of-bounds write to the heap. An attacker can trigger this by constructing a web page that causes the browser to encode a video stream with carefully crafted parameters.

In a browser context, the overflow occurs within the sandboxed renderer process. Exploiting it achieves arbitrary code execution within that sandbox. Attackers then typically chain this with a sandbox escape vulnerability (a separate bug, not part of this CVE) to achieve full system compromise. Google TAG observed this exploitation pattern being used by commercial spyware operators — the renderer-level exploit provides the initial foothold within the browser before escaping the sandbox to deliver the spyware payload.

Discovery

Clément Lecigne of Google's Threat Analysis Group discovered CVE-2023-5217 while investigating use of commercial spyware against a targeted individual. Google TAG attributed exploitation to commercial surveillance vendors supplying state-level customers.

Exploitation Context

Google TAG confirmed active in-the-wild exploitation of CVE-2023-5217 before the patch was released, specifically by commercial spyware operators. The same October 2023 period saw multiple related browser and media library vulnerabilities exploited as part of spyware delivery chains (including CVE-2023-4863 in WebP). The dual Apple/Google/Mozilla patching events in late September 2023 reflect a broader pattern of surveillance industry activity against browser media parsing code.

The vulnerability affected not just Chrome but Firefox, Edge, and any Electron-based application, significantly broadening the potential victim pool. CISA added it to KEV on October 2, 2023.

Remediation

1. Update Chrome to 117.0.5938.132 or later — apply via Chrome's automatic update or manually through Settings → About Chrome.
2. Update Firefox to 118.0.1 (or ESR 115.3.1) and Edge to the corresponding updated Chromium version.
3. Update Electron-based applications (Slack, VS Code, Discord, etc.) — these bundle their own Chromium and require separate updates from their vendors.
4. Update libvpx to 1.13.1 or later on any systems where it is installed as a system library (Linux package managers should have received updates in October 2023).
5. Apply Android security updates — Android's media framework uses libvpx; apply the September or October 2023 Android Security Bulletin updates.
6. Enable Enhanced Safe Browsing in Chrome — provides additional real-time phishing and malware protection, reducing the risk of landing on exploit-delivering pages.