High severityCISA KEVNVD Advisory· Published Sep 28, 2023· Updated Oct 21, 2025
CVE-2023-5217
CVE-2023-5217
Description
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
electronnpm | < 22.3.25 | 22.3.25 |
electronnpm | >= 24.0.0, < 24.8.5 | 24.8.5 |
electronnpm | >= 25.0.0, < 25.8.4 | 25.8.4 |
electronnpm | >= 26.0.0, < 26.2.4 | 26.2.4 |
electronnpm | >= 27.0.0-alpha.1, < 27.0.0-beta.8 | 27.0.0-beta.8 |
Affected products
76- ghsa-coords74 versionspkg:npm/electronpkg:rpm/almalinux/firefoxpkg:rpm/almalinux/firefox-x11pkg:rpm/almalinux/libvpxpkg:rpm/almalinux/libvpx-develpkg:rpm/almalinux/thunderbirdpkg:rpm/opensuse/chromium&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/chromium&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/chromium&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/element-desktop&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/libvpx&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/libvpx&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/libvpx&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs-electron&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/opera&distro=openSUSE%20Leap%2015.4%20NonFreepkg:rpm/opensuse/opera&distro=openSUSE%20Leap%2015.5%20NonFreepkg:rpm/opensuse/shotcut&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/vlc&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vlc&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/vlc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/chromium&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/chromium&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/libvpx&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libvpx&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5pkg:rpm/suse/libvpx&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/libvpx&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP4pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5pkg:rpm/suse/vlc&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/vlc&distro=SUSE%20Package%20Hub%2015%20SP5
< 22.3.25+ 73 more
- (no CPE)range: < 22.3.25
- (no CPE)range: < 115.3.1-1.el9_2.alma.1
- (no CPE)range: < 115.3.1-1.el9_2.alma.1
- (no CPE)range: < 1.7.0-10.el8_8.alma.1
- (no CPE)range: < 1.7.0-10.el8_8.alma.1
- (no CPE)range: < 115.3.1-1.el9_2.alma
- (no CPE)range: < 117.0.5938.132-bp155.2.40.1
- (no CPE)range: < 117.0.5938.132-bp155.2.40.1
- (no CPE)range: < 117.0.5938.132-1.1
- (no CPE)range: < 1.11.47-1.1
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 1.11.0-150400.3.3.1
- (no CPE)range: < 1.11.0-150400.3.3.1
- (no CPE)range: < 1.13.0-2.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 118.0.1-1.1
- (no CPE)range: < 115.3.1-150200.8.133.1
- (no CPE)range: < 115.3.1-150200.8.133.1
- (no CPE)range: < 115.3.1-1.1
- (no CPE)range: < 25.8.4-2.1
- (no CPE)range: < 103.0.4928.16-lp154.2.53.1
- (no CPE)range: < 103.0.4928.16-lp155.3.12.1
- (no CPE)range: < 23.11.29-1.1
- (no CPE)range: < 3.0.20-bp154.2.6.1
- (no CPE)range: < 3.0.20-bp155.2.3.1
- (no CPE)range: < 3.0.19-1.1
- (no CPE)range: < 117.0.5938.132-bp155.2.40.1
- (no CPE)range: < 117.0.5938.132-bp155.2.40.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.11.0-150400.3.3.1
- (no CPE)range: < 1.11.0-150400.3.3.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.11.0-150400.3.3.1
- (no CPE)range: < 1.11.0-150400.3.3.1
- (no CPE)range: < 1.3.0-3.12.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.3.0-3.12.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.3.0-3.12.1
- (no CPE)range: < 1.3.0-3.12.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 1.6.1-150000.6.11.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-150000.150.110.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-112.185.1
- (no CPE)range: < 115.3.1-150000.150.110.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-112.185.1
- (no CPE)range: < 115.3.1-150000.150.110.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-150200.152.111.1
- (no CPE)range: < 115.3.1-112.185.1
- (no CPE)range: < 115.3.1-150200.8.133.1
- (no CPE)range: < 115.3.1-150200.8.133.1
- (no CPE)range: < 115.3.1-150200.8.133.1
- (no CPE)range: < 115.3.1-150200.8.133.1
- (no CPE)range: < 3.0.20-bp154.2.6.1
- (no CPE)range: < 3.0.20-bp155.2.3.1
- Google/libvpxv5Range: 1.13.1
Patches
Vulnerability mechanics
References
74- github.com/advisories/GHSA-qqvq-6xgj-jw8gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-5217ghsaADVISORY
- seclists.org/fulldisclosure/2023/Oct/12ghsaWEB
- seclists.org/fulldisclosure/2023/Oct/16ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/28/5ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/28/6ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/29/1ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/29/11ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/29/12ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/29/14ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/29/2ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/29/7ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/29/9ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/30/1ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/30/2ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/30/3ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/30/4ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/30/5ghsaWEB
- www.openwall.com/lists/oss-security/2023/10/01/1ghsaWEB
- www.openwall.com/lists/oss-security/2023/10/01/2ghsaWEB
- www.openwall.com/lists/oss-security/2023/10/01/5ghsaWEB
- www.openwall.com/lists/oss-security/2023/10/02/6ghsaWEB
- www.openwall.com/lists/oss-security/2023/10/03/11ghsaWEB
- arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-softwareghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.htmlghsaWEB
- crbug.com/1486441ghsaWEB
- github.com/electron/electron/pull/40022ghsaWEB
- github.com/electron/electron/pull/40023ghsaWEB
- github.com/electron/electron/pull/40024ghsaWEB
- github.com/electron/electron/pull/40025ghsaWEB
- github.com/electron/electron/pull/40026ghsaWEB
- github.com/electron/electron/releases/tag/v22.3.25ghsaWEB
- github.com/electron/electron/releases/tag/v24.8.5ghsaWEB
- github.com/electron/electron/releases/tag/v25.8.4ghsaWEB
- github.com/electron/electron/releases/tag/v26.2.4ghsaWEB
- github.com/electron/electron/releases/tag/v27.0.0-beta.8ghsaWEB
- github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590ghsaWEB
- github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282ghsaWEB
- github.com/webmproject/libvpx/releases/tag/v1.13.1ghsaWEB
- github.com/webmproject/libvpx/tagsghsaWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00038.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00001.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00015.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4IghsaWEB
- pastebin.com/TdkC4pDvghsaWEB
- security-tracker.debian.org/tracker/CVE-2023-5217ghsaWEB
- security.gentoo.org/glsa/202310-04ghsaWEB
- security.gentoo.org/glsa/202401-34ghsaWEB
- stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217ghsaWEB
- support.apple.com/kb/HT213961ghsaWEB
- support.apple.com/kb/HT213972ghsaWEB
- twitter.com/maddiestone/status/1707163313711497266ghsaWEB
- www.debian.org/security/2023/dsa-5508ghsaWEB
- www.debian.org/security/2023/dsa-5509ghsaWEB
- www.debian.org/security/2023/dsa-5510ghsaWEB
- www.mozilla.org/en-US/security/advisories/mfsa2023-44ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/28/5ghsaWEB
- arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/mitre
- stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/mitre
- www.mozilla.org/en-US/security/advisories/mfsa2023-44/mitre
News mentions
0No linked articles in our index yet.