CVE-2023-5217
Out-of-bounds Write: is CVE-2023-5217real, exploitable, or a false positive? Here's the community verdict.
signals
public sources
Confirmed exploited in the wild. Patch this first, regardless of the base score.
public exploits
links to sources — we don’t host codeUnverified proof-of-concept code has been published. It may or may not be functional — assess before relying on it.
baseline read
auto · not a community verdict
Real — exploited in the wild
CISA confirms active exploitation. Treat scanner hits as true positives unless your specific version or config is unaffected.
Based on CISA KEV
Confirm or dispute →CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2023-5217)<a href="https://www.truepositive.app/cve/CVE-2023-5217"><img src="https://www.truepositive.app/cve/CVE-2023-5217/badge.svg" alt="TruePositive verdict for CVE-2023-5217"></a>Live badge that updates automatically as the community verdict changes.
Community ground truth
Be the first practitioner to weigh in
So far this is only TruePositive's editorial baseline from public sources. Add your real-world verdict below — it becomes the signal the next person triaging this relies on.
🥇 The first 50 practitioners to contribute earn a Founding Contributor badge.
In your experience, is this finding real and exploitable?
1 verdictIncludes TruePositive's curated baseline from public sources. Community verdicts accrue on top.
No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.
In line with its CVSS base score.
Field notes & remediation
Verdicts are the quick signal. Notes are the evidence and fixes behind them.
- 0
Google Chromium libvpx Heap Buffer Overflow Vulnerability — Google Chromium libvpx contains a heap buffer overflow vulnerability in vp8 encoding that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could impact web browsers using libvpx, including but not limited to Google Chrome. Listed in the CISA KEV catalog (added 2023-10-02) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~49%. Treat it as real and prioritize remediation over triage.
- 0
Required action for Google Chromium libvpx: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. CISA set a federal remediation due date of 2023-10-23. After patching, verify the vulnerable path is no longer reachable before closing the finding.
Add a field note or remediationoptional
Related CVEs
Same weakness: CWE-787 · Out-of-bounds Write.
- CVE-2015-3113CRIT 9.8KEVEPSS 100%
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in June 2015.
- CVE-2023-4863HIGH 8.8KEVEPSS 100%
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
- CVE-2023-34048CRIT 9.8KEVEPSS 99%
vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.
- CVE-2008-2992HIGH 7.8KEVEPSS 98%
Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.
- CVE-2015-1641HIGH 7.8KEVEPSS 97%
Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."
- CVE-2019-5544CRIT 9.8KEVEPSS 97%
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.