Google has released emergency updates to address a zero-day vulnerability in its Chrome browser. CVE-2023-5217 is a high-severity vulnerability that can lead to program crashes or arbitrary code execution. Google has mentioned in the advisory that the vulnerability is being exploited in the wild.
Clément Lecigne of Google’s Threat Analysis Group (TAG) has discovered the vulnerability.
In this batch of updates, Google has also addressed two more high-severity vulnerabilities, CVE-2023-5186 and CVE-2023-51987.
CVE-2023-5217 is the fifth zero-day vulnerability addressed by Google Chrome since the start of the year. The list includes:
- CVE-2023-4863 (August) – Heap buffer overflow in WebP
- CVE-2023-3079 (June)- Type confusion in V8
- CVE-2023-2136 (April) – Integer overflow in Skia
- CVE-2023-2033 (April) – Type confusion in V8
Google has made an update related to CVE-2023-4863 by providing a new identifier for this vulnerability, CVE-2023-5129. However, specifically for Google Chrome, this vulnerability is tracked as CVE-2023-4863.
CVE-2023-5217 is a heap buffer overflow vulnerability in VP8 compression format in libvpx. Libvpx is a free software video codec library from Google and the Alliance for Open Media (AOMedia).
CVE-2023-5186 is a use after free vulnerability existing in Passwords.
CVE-2023-5187 is a use after free vulnerability in Extensions.
CISA has added the CVE-2023-5217 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 23, 2023.
Affected Versions
Google Chrome versions before 117.0.5938.132 are affected by this vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version, 117.0.5938.132, for Windows, Mac, and Linux.
Microsoft has released the Microsoft Edge Stable (Version 117.0.2045.47) and Extended Stable Channel (Version 116.0.1938.98) to address CVE-2023-5217, which the Chromium team has reported as being exploited in the wild.
For more information, please refer to the Google Chrome release page.
Qualys Detection
Qualys customers can scan their devices with QIDs 378549 and 378911 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html