Google’s Threat Analysis Group, led by Clément Lecigne, has discovered a high-severity heap buffer overflow vulnerability in the libvpx library, specifically in its VP8 encoding component. The issue is registered as CVE-2023-5217. This vulnerability allows for arbitrary code execution, enabling an attacker to run malicious software on a targeted system.
The exploit for this vulnerability is known to exist in the wild, raising immediate concerns. Affected by this issue are various applications and services that employ the libvpx library for VP8 and VP9 video encoding and decoding.
This includes WebRTC platforms, streaming services using VP8 or VP9 formats, and even mobile apps. Multimedia applications and services relying on FFmpeg, which uses libvpx, are also at risk.
In fact, an anonymous user has prepared a Pastebin document, which shows hundreds of individual packages and thousands of sub-dependant packages using the libvpx library. You can also check out the official sponsors list for the WebM project, which includes big names like Opera, Android, Adobe, Oracle, and many others.
For developers and IT administrators using libvpx, upgrading to a patched version is critical. General users should keep their software up-to-date as vendors roll out patches.
Though initially reported in the context of Google Chrome (as it was done for the WebP bug), the vulnerability extends beyond the browser. This has been corroborated by Mozilla Firefox, which recently rolled out a patch, labeling the issue as critical. Firefox’s update also covers its Android versions.
The libvpx library is commonly integrated into an array of software, making it a prime target for exploitation. The vulnerability lies in how the library processes specially-crafted VP8 media streams, leading to an overflow that can compromise system integrity.
How serious is this? Heap buffer overflow is not to be taken lightly. It’s a vulnerability that allows for arbitrary code execution, meaning an attacker can execute a piece of malicious code within the affected system. When we talk about executing arbitrary code, we’re essentially saying the attacker can perform nearly any operation that the compromised application could—be it stealing sensitive information, modifying system settings, or even adding the system to a botnet for larger-scale attacks.
The CVE page initially indicated that the issue was exclusive to Chrome but has been updated to clarify its broader impact. Affected libvpx versions range from 1.13.1 to prior versions. Developers and users alike should vigilantly update their software to mitigate risks.
About WebM
WebM is a media file format designed for the web. It wraps video streams compressed with the VP8 or VP9 codec, and audio streams compressed with the Vorbis or Opus codec. Google developed this open standard to provide a royalty-free alternative to other video formats like H.264, aiming for high-quality compression and efficient streaming. The format has gained widespread adoption due to its performance, open nature, and the fact that it’s backed by big names in tech.
