New Chrome 0-Day Exploit Targets Major Vulnerability in Libvpx Video Library

New Chrome 0-day (CVE-2023-5217) exploits vulnerability in libvpx library used for VP8 video encoding. Affects Chrome, Firefox, and likely many other software packages.
Bug allows remote code execution just by visiting malicious site, like previous 0-day (CVE-2023-4863) disclosed on Sept. 11.
Libvpx library is widely used across the internet for VP8 encoding. Hundreds of software packages are potentially affected.
Exploits are being used in the wild by a commercial surveillance vendor, but few details currently available.
This is the second critical Chrome 0-day stemming from memory corruption bug in an aging, unsafe C library in past 2 weeks.

arstechnica.com

Relevant topic timeline:

9/11/2023

Google Rushes Out Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

Google has released emergency security updates for Chrome to address a zero-day vulnerability (CVE-2023-4863) that has been exploited in attacks, urging users to update their browsers to prevent further exploitation.

9/14/2023

Major Browsers Release Critical Security Updates - Update Now to Fix WebP Vulnerability

Many popular web browsers including Google Chrome, Microsoft Edge, Firefox, and Brave have issued security updates to fix a critical vulnerability that could allow malicious code to be run on users' computers.

9/27/2023

Google Patches Critical Chrome Flaw Exploited to Install Spyware, 5th Zero-Day This Year

Google has released emergency security updates to patch a zero-day vulnerability in Chrome that has been exploited in spyware attacks, with the vulnerability caused by a heap buffer overflow weakness in the VP8 encoding of the libvpx video codec library.