A vulnerability in an open source video codec used by a host of major browsers represents a serious security threat, the US Cybersecurity and Infrastructure Agency (CISA) says.\n\nThe flaw affects web browsers that use the libvpx media library, a joint project between Google and the Alliance for Open Media. It received a common vulnerability rating of 8.8 on the CVSS v3 scale, meaning that it is characterized by experts as a \u201chigh\u201d severity threat. A CISA announcement Monday said that there is evidence of the flaw being actively exploited, making this a zero-day threat.\n\nThe vulnerability enables a type of buffer overflow attack, according to CISA. What this means is that, at some stage, the size of the memory buffer used to handle inputs isn\u2019t set correctly, allowing a bad actor to craft a malicious input much larger than the buffer, which won\u2019t be processed correctly, and could lead to a range of consequences. Buffer or heap overflow is a common target for malicious hackers, given the wide applicability of the technique.\n\nIn this case, and in keeping with the exploit\u2019s high severity score, the flaw may enable remote code execution, letting attackers deliver dangerous payloads onto vulnerable systems.\n\n\u201cIf you\u2019re really clever, you can craft an exploit that gets into system memory,\u201d said Christopher Rodriguez, a research director at IDC. \u201cIf it were a lower level [exploit], it might be limited to what parts of memory it can touch \u2026 maybe crash an application.\u201d\n\nPatches have been issued by the companies behind most major browsers that run Chromium, including Google Chrome and Microsoft Edge. The libvpx codec is also present in Firefox, which has also been patched. Its severity means that organizations must stay on top of patching in order to avoid potentially serious consequences. (The CISA notice gives federal civilian agencies until October 23 to fully protect themselves against the flaw.)\n\n\u201cThe browser\u2019s so powerful these days,\u201d said Rodriguez. \u201cSo many applications work over the web, including SaaS and [business applications] designed for remote workers. Even sensitive data that goes into your personal browser can be an issue.\u201d\n\nRodriguez also urged the adoption of endpoint security measures to help defend against this type of zero-day attack.