CVE-2023-36872 Overview
CVE-2023-36872 is an information disclosure vulnerability in Microsoft VP9 Video Extensions. The flaw allows a local attacker to read sensitive memory contents when a user opens a specially crafted video file. Microsoft published the advisory on July 11, 2023, and the issue is tracked under [CWE-20] Improper Input Validation. Exploitation requires user interaction but no privileges, and the impact is limited to confidentiality.
Critical Impact
A local attacker can disclose sensitive process memory by tricking a user into opening a malicious VP9-encoded media file processed by the Microsoft VP9 Video Extensions component.
Affected Products
- Microsoft VP9 Video Extensions (Windows Store component)
- Windows systems where the VP9 Video Extensions package is installed
- Applications that rely on the VP9 codec provided by Microsoft Store
Discovery Timeline
- 2023-07-11 - CVE-2023-36872 published to NVD and Microsoft Security Update Guide
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-36872
Vulnerability Analysis
The vulnerability resides in Microsoft VP9 Video Extensions, the Store-delivered codec package that decodes VP9-encoded media on Windows. The defect is categorized as improper input validation [CWE-20] leading to information disclosure. When the extension parses a malformed VP9 stream, it returns data from memory regions that should not be exposed to the calling process or user. The attack vector is local, requiring the victim to open or render a crafted video file. The flaw affects confidentiality only and does not modify data or disrupt service.
Root Cause
The root cause is improper validation of fields within a VP9 bitstream during decoding. Insufficient bounds or state checks during frame parsing cause the decoder to read beyond intended buffers or return uninitialized memory. The disclosed bytes can include adjacent heap contents from the media pipeline process.
Attack Vector
An attacker crafts a malicious VP9 video file and delivers it through email, web download, removable media, or any channel that prompts a user to open the file. When the file is rendered by an application that uses the VP9 Video Extensions, the decoder leaks memory contents the attacker can exfiltrate through staged output frames or paired channels. No elevated privileges are required, but the user must interact with the file.
No public proof-of-concept code is available for CVE-2023-36872. See the Microsoft Security Update Guide entry for CVE-2023-36872 for vendor technical details.
Detection Methods for CVE-2023-36872
Indicators of Compromise
- Unexpected execution of VP9VideoExtensions components launched by browsers, mail clients, or chat applications opening untrusted media.
- Crashes or anomalous memory reads originating from media foundation processes such as mfpmp.exe or dllhost.exe while decoding VP9 content.
- Inbound VP9-encoded files (.webm, .mkv, .mp4 containing VP9 streams) from untrusted senders or web origins.
Detection Strategies
- Inventory installed versions of the Microsoft VP9 Video Extensions package across endpoints and flag versions predating the July 2023 update.
- Inspect media files received from untrusted sources for VP9 codec usage and atypical stream parameters.
- Correlate user file-open events with subsequent media pipeline process anomalies to surface exploitation attempts.
Monitoring Recommendations
- Monitor Microsoft Store update logs to confirm the VP9 Video Extensions package is current on managed devices.
- Log process creation and image loads for media foundation host processes to identify unusual codec invocations.
- Track endpoint telemetry for repeated decoder faults associated with VP9 content from a single source.
How to Mitigate CVE-2023-36872
Immediate Actions Required
- Apply the Microsoft security update for VP9 Video Extensions through the Microsoft Store on all affected endpoints.
- Verify the installed package version against the fixed build referenced in the Microsoft Security Update Guide.
- Restrict user handling of untrusted media files until patch deployment is confirmed.
Patch Information
Microsoft addressed CVE-2023-36872 in a security update distributed through the Microsoft Store. The VP9 Video Extensions package updates automatically on systems with Store updates enabled. Administrators managing offline or restricted environments should consult the Microsoft Security Update Guide for CVE-2023-36872 for the fixed version number and offline deployment guidance.
Workarounds
- Block delivery of VP9-encoded media files from untrusted sources at the email gateway and web proxy until patching is complete.
- Remove the VP9 Video Extensions package on systems that do not require VP9 playback using Get-AppxPackage and Remove-AppxPackage in PowerShell.
- Educate users to avoid opening unsolicited video attachments and links to untrusted media content.
# Verify and update Microsoft VP9 Video Extensions package version
Get-AppxPackage -Name Microsoft.VP9VideoExtensions | Select-Object Name, Version
# Trigger Microsoft Store app updates
Start-Process "ms-windows-store://downloadsandupdates"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
