Warning: CRITICAL ACTIVELY EXPLOITED VULNERABILITY IN LIBWEBP AFFECTING MANY PRODUCTS!
CVE-2023-4863: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVE-2023-5129: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
- https://nvd.nist.gov/vuln/detail/CVE-2023-4863
- https://github.com/webmproject/libwebp/releases/tag/v1.3.2
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-...
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
Risks
An actively exploited critical vulnerability was discovered in the libwebp library. Libwebp is used for decoding the webp image format. The libwebp library is used by a lot of software, including but not limited to: many of the major web browsers (Chrome, Firefox, Edge), Chromium Embedded Framework based applications, Electron based applications, and Flutter based applications.
Severity of this vulnerability depends on the specific application. If the application loads a malicious webp image file, it can result in arbitrary code execution and a compromise of the machine.
Description
A heap buffer overflow vulnerability in libwebp resulting in an out of bounds write can result in arbitrary code execution. The buffer overflow vulnerability is triggered by loading a malicious webp image file. This could happen when viewing an image in a web page, or from a message received in a vulnerable chat client.
The libwebp library is used in many applications! It is unknown how many applications are affected by this vulnerability. The software listed in this advisory have patches available. Many other vendors have already published patches on their websites.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends installing the latest libwebp updates.
The Centre for Cyber Security Belgium strongly recommends installing the latest updates for ALL applications using the libwebp library.