Critical Zero-day Vulnerability Affecting libwebp Library

Published on 27 Sep 2023

Security researchers have discovered a critical vulnerability (CVE-2023-5129) affecting the lipwebp open-source library, an image compression library used in Chromium and other software solutions that support WebP images. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 10 out of 10 and is reportedly being actively exploited.

Exploitation of the buffer overflow vulnerability in the Huffman coding algorithm used by lipwebp for lossless compression could allow an unauthenticated attacker to execute out-of-bounds memory writes using maliciously crafted HTML pages, potentially leading to denial-of-service conditions, arbitrary code execution and/or unauthorised access to sensitive information.

The vulnerability affects products that use the vulnerable versions (between 0.5.0 and 1.3.2) of the lipwebp library.

Users and administrators of affected products are advised to upgrade to the latest product versions immediately or once they are released.

More information is available here:

https://nvd.nist.gov/vuln/detail/CVE-2023-5129

https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a

https://stackdiary.com/heap-buffer-overflow-in-libwebp-cve-2023-5129/

https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/

Tags
Alerts Alerts & Advisories
Share