VP8/VP9's libvpx 1.13.1 Released Due To A High Severity Vulnerability

Google on Friday released libvpx 1.13.1 as the newest update to this open-source reference encoder for the VP8 and VP9 video codecs. This release is coming due to CVE-2023-5217, which is a "high" severity vulnerability that's been exploited within at least the Google Chrome web browser.

CVE-2023-5217 is due to a heap buffer overflow within the VP8 encoding path in libvpx used by Google Chrome. With prior Chrome versions and pre-1.13.1 for libvpx, a remote attacker could potentially exploit heap corruption via a specially crafted HTML page. Google is aware of an exploit for this vulnerability existing in the wild.

Details on this security vulnerability can be found via the oss-security list.

Released on Friday night was the libvpx 1.13.1 update with this security fix for CVE-2023-5217 as well as a crash related to VP9 encoding.