CVE-2023-4863 : Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and lib

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Published 2023-09-12 15:15:24

Updated 2025-03-13 16:17:16

Source Chrome

View at NVD, CVE.org

Vulnerability category: Overflow

Products affected by CVE-2023-4863

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 12.0
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
Matching versions
Microsoft » Teams » For Macos
Versions before (<) 1.6.00.26463
cpe:2.3:a:microsoft:teams:*:*:*:*:*:macos:*:*
Matching versions
Microsoft » Teams » Desktop Edition
Versions before (<) 1.6.00.26474
cpe:2.3:a:microsoft:teams:*:*:*:*:desktop:*:*:*
Matching versions
Microsoft » Edge Chromium
Versions before (<) 116.0.1938.81
cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Webp Image Extension
Versions before (<) 1.0.62681.0
cpe:2.3:a:microsoft:webp_image_extension:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox »
Versions before (<) 117.0.1
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Matching versions
Mozilla » Firefox » ESR Edition
Versions from including (>=) 115.1.0 and before (<) 115.2.1
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Matching versions
Mozilla » Firefox » ESR Edition
Versions before (<) 102.15.1
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Matching versions
Mozilla » Thunderbird
Versions from including (>=) 115.0 and before (<) 115.2.2
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions before (<) 102.15.1
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Google » Chrome
Versions before (<) 116.0.5845.187
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 38
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 39
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Bentley » Seequent Leapfrog
Versions before (<) 2023.2
cpe:2.3:a:bentley:seequent_leapfrog:*:*:*:*:*:*:*:*
Matching versions
Bandisoft » Honeyview
Versions before (<) 5.51
cpe:2.3:a:bandisoft:honeyview:*:*:*:*:*:*:*:*
Matching versions
Webmproject » Libwebp
Versions before (<) 1.3.2
cpe:2.3:a:webmproject:libwebp:*:*:*:*:*:*:*:*
Matching versions

CVE-2023-4863 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Google Chromium WebP Heap-Based Buffer Overflow Vulnerability

CISA required action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA description:

Google Chromium WebP contains a heap-based buffer overflow vulnerability that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect applications that use the WebP Codec.

Notes:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html?m=1; https://nvd.nist.gov/vuln/detail/CVE-2023-4863

Added on 2023-09-13 Action due date 2023-10-04

Exploit prediction scoring system (EPSS) score for CVE-2023-4863

EPSS FAQ

93.95%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-4863

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-4863

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-4863

https://bugzilla.suse.com/show_bug.cgi?id=1215231

1215231 – (CVE-2023-4863) VUL-0: CVE-2023-4863: libwebp,MozillaFirefox,MozillaThunderbird,chromium,ungoogled-chromium: Heap buffer overflow in WebP
Issue Tracking;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html

[SECURITY] [DLA 3570-1] libwebp security update
Mailing List;Third Party Advisory
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

Security Vulnerability fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 — Mozilla
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/

[SECURITY] Fedora 39 Update: libwebp-1.3.1-3.fc39 - package-announce - Fedora Mailing-Lists
Mailing List
https://github.com/webmproject/libwebp/releases/tag/v1.3.2

Release v1.3.2: libwebp-1.3.2 · webmproject/libwebp · GitHub
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/

[SECURITY] Fedora 38 Update: chromium-117.0.5938.62-1.fc38 - package-announce - Fedora Mailing-Lists
Mailing List

CVEs referencing this url
https://blog.isosceles.com/the-webp-0day/

The WebP 0day
Exploit;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/

[SECURITY] Fedora 38 Update: libwebp-1.3.1-3.fc38 - package-announce - Fedora Mailing-Lists
Mailing List
https://www.bentley.com/advisories/be-2023-0001/

BE-2023-0001 | Bentley Systems | Infrastructure Engineering Software Company
Third Party Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863

CVE-2023-4863 - Security Update Guide - Microsoft - Chromium: CVE-2023-4863 Heap buffer overflow in WebP
Patch;Third Party Advisory
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

Chrome Releases: Stable Channel Update for Desktop
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/

[SECURITY] Fedora 37 Update: chromium-117.0.5938.88-1.fc37 - package-announce - Fedora Mailing-Lists
Mailing List

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2023/09/22/1

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/6

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/

[SECURITY] Fedora 39 Update: firefox-117.0.1-2.fc39 - package-announce - Fedora Mailing-Lists
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/28/4

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List

CVEs referencing this url
https://news.ycombinator.com/item?id=37478403

Chrome: Heap buffer overflow in WebP | Hacker News
Exploit;Third Party Advisory
https://security.gentoo.org/glsa/202401-10

Mozilla Firefox: Multiple Vulnerabilities (GLSA 202401-10) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://en.bandisoft.com/honeyview/history/

Honeyview - Version history, Changelog
Release Notes
https://crbug.com/1479274

Sign in - Google Accounts
Issue Tracking;Vendor Advisory
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

Critical WebP bug: many apps, not just browsers, under threat
Exploit;Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/22/3

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List
https://www.debian.org/security/2023/dsa-5497

Debian -- Security Information -- DSA-5497-1 libwebp
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/21/4

oss-security - CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List

CVEs referencing this url
https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/

Google fixes another Chrome zero-day bug exploited in attacks
Third Party Advisory
https://www.vicarius.io/vsociety/posts/zero-day-webp-vulnerability-cve-2023-4863

Exploit;Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/26/1

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List

CVEs referencing this url
https://www.debian.org/security/2023/dsa-5496

Debian -- Security Information -- DSA-5496-1 firefox-esr
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/

[SECURITY] Fedora 37 Update: libwebp-1.3.1-3.fc37 - package-announce - Fedora Mailing-Lists
Mailing List
https://security.netapp.com/advisory/ntap-20230929-0011/

CVE-2023-4863 Libwebp Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a

Fix OOB write in BuildHuffmanTable. · webmproject/libwebp@902bc91 · GitHub
Patch
https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html

[SECURITY] [DLA 3568-1] firefox-esr security update
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/28/1

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/8

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List
https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html

[SECURITY] [DLA 3569-1] thunderbird security update
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/26/7

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List
https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/

Whose CVE Is It Anyway? - Adam Caudill
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/

[SECURITY] Fedora 39 Update: chromium-117.0.5938.132-2.fc39 - package-announce - Fedora Mailing-Lists
Mailing List

CVEs referencing this url
https://security.gentoo.org/glsa/202309-05

WebP: Multiple vulnerabilities (GLSA 202309-05) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2023/dsa-5498

Debian -- Security Information -- DSA-5498-1 thunderbird
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/28/2

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List

CVEs referencing this url
https://security-tracker.debian.org/tracker/CVE-2023-4863

CVE-2023-4863
Issue Tracking;Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/22/4

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List
https://sethmlarson.dev/security-developer-in-residence-weekly-report-16

Patching the libwebp vulnerability across the Python ecosystem
Exploit
http://www.openwall.com/lists/oss-security/2023/09/22/5

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/7

oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
Mailing List