⚠ Actively exploited

Added to CISA KEV on 2023-09-13. Federal agencies required to patch by 2023-10-04. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-4863

CWE-787 — Out-of-bounds Write CWE-122 — Heap-based Buffer Overflow59 documents21 sources

Severity

8.8HIGH

EPSS

93.6%

top 0.16%

CISA KEV

KEV

Added 2023-09-13

Due 2023-10-04

Exploit

Exploited in wild

Active exploitation observed

Affected products

Platform External/webp Google Chrome Google Libwebp +11 more

Timeline

PublishedSep 12

KEV addedSep 13

KEV dueOct 4

Latest updateMar 1

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages53 packages

▶CVEListV5google/libwebp1.3.2 — 1.3.2

▶crates.iolibwebp-sys< 0.9.3

▶crates.iolibwebp-sys20.0.0-0 — 0.1.8+1

▶CVEListV5google/chrome116.0.5845.187 — 116.0.5845.187

▶NVDgoogle/chrome< 116.0.5845.187

Also affects: Debian Linux 10.0, 11.0, 12.0, Fedora 37, 38, 39

Patches

Patch: github.com ↗Patch: msrc.microsoft.com ↗Patch: github.com ↗

🔴Vulnerability Details

Project0

Blasting Past Webp - Project Zero↗2025-03-01

▶

GHSA

opencv-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863↗2024-08-30

▶

GHSA

opencv-contrib-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863↗2024-08-30

▶

OSV

opencv-contrib-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863↗2024-08-30

▶

OSV

opencv-contrib-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863↗2024-08-30

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Platform (libwebp) — CVE-2023-4863↗2024-04-15

▶

Android

CVE-2023-4863: Android Security Bulletin 2023-10-01 CVE: CVE-2023-4863 Severity: CRITICAL Type: RCE Affected AOSP versions: 11, 12, 12L, 13, 14 References: A-2994775↗2023-10-01

▶

Ubuntu

libwebp vulnerability↗2023-09-28

▶

Chrome

Long Term Support (LTS) channel for ChromeOS - Major update from 108 -> 114: CVE-2023-4863↗2023-09-27

▶

Ubuntu

Firefox vulnerability↗2023-09-14

▶

🕵️Threat Intelligence

Bleepingcomputer

Microsoft Edge, Teams get fixes for zero-days in open-source libraries↗2023-10-03

▶

Wiz

CVE-2023-4863 and CVE-2023-5217 Exploited in the Wild | Wiz Blog↗2023-10-01

▶

Wiz

CVE-2023-4863 and CVE-2023-5217 Exploited in the Wild | Wiz Blog↗2023-10-01

▶

Huntress

Critical Vulnerability: WebP Heap Buffer Overflow (CVE-2023-4863) | Huntress↗2023-09-28

▶

Bleepingcomputer

Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks↗2023-09-12

▶

💬Community

Bugzilla

Out-of-bounds write in BuildHuffmanTable↗2023-09-12

▶