Google Addresses Actively Exploited Zero-day Vulnerability in Chrome Browser (CVE-2023-5217)

Google has released emergency updates to address a zero-day vulnerability in its Chrome browser. CVE-2023-5217 is a high-severity vulnerability that can lead to program crashes or arbitrary code execution. Google has mentioned in the advisory that the vulnerability is being exploited in the wild.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has discovered the vulnerability.

In this batch of updates, Google has also addressed two more high-severity vulnerabilities, CVE-2023-5186 and CVE-2023-51987.

CVE-2023-5217 is the fifth zero-day vulnerability addressed by Google Chrome since the start of the year. The list includes:

Google has made an update related to CVE-2023-4863 by providing a new identifier for this vulnerability, CVE-2023-5129. However, specifically for Google Chrome, this vulnerability is tracked as CVE-2023-4863.

CVE-2023-5217 is a heap buffer overflow vulnerability in VP8 compression format in libvpx. Libvpx is a free software video codec library from Google and the Alliance for Open Media (AOMedia).

CVE-2023-5186 is a use after free vulnerability existing in Passwords.

CVE-2023-5187 is a use after free vulnerability in Extensions.

CISA has added the CVE-2023-5217 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 23, 2023.

Affected Versions

Google Chrome versions before 117.0.5938.132 are affected by this vulnerability.

Mitigation

Customers are requested to upgrade to the latest stable channel version, 117.0.5938.132, for Windows, Mac, and Linux.

Microsoft has released the Microsoft Edge Stable (Version 117.0.2045.47) and Extended Stable Channel (Version 116.0.1938.98) to address  CVE-2023-5217, which the Chromium team has reported as being exploited in the wild.

For more information, please refer to the Google Chrome release page.

References
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

READ MORE