CVE-2023-5217
ENISA EUVD: EUVD-2023-2578 ↗
Exploited in the Wild
✓ Confirmed 0-Day
★ Google Project Zero
Triaged: Feb. 18, 2026
21 articles
Published: 2023-09-28
EPSS Score
Source: FIRST.org · 2026-05-23
4.98%
probability
This CVE has a 4.98% probability
of being exploited in the next 30 days.
0%
Top 89.8th percentile of all CVEs
100%
CVSS v3.1
Source: VulnerabilityLookup (CIRCL)8.8
HIGH
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Description
VulnerabilityLookup (CNA)Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected Products
Google
Chrome
117.0.5938.132
Google
libvpx
1.13.1
Attack Intelligence
Google Project Zero
Discovered
Sept. 25, 2023
Patched
Sept. 27, 2023
Reported by
Clément Lecigne of Google's Threat Analysis Group
Root Cause Analysis
???
Exploits & PoC
UT-Security/cve-2023-5217-poc
A PoC to trigger CVE-2023-5217 from the Browser WebCodecs or MediaRecorder interface.
16
2023-10-11
3 repos — triés par ⭐
Rechercher sur GitHub ↗
Signal Intelligence
Confidence
92%
EPSS
4.98%
CVSS v3.1
8.8
Mentions
21
Last Seen
Mar 11, 2025
CNA Information
CNA Assigner
Chrome
Analyst Note
CVE-2023-5217 is a high-severity heap buffer overflow in Chrome's VP8 encoding with CVSS 8.8, confirmed by Google and documented in Project Zero. The vulnerability has been actively exploited in the wild and fixed in Chrome 117.0.5938.132, with multiple credible security sources reporting on the vulnerability and its exploitation.
Triage Info
Decided atFeb 18, 2026
Published DateSep 28, 2023