cbcvebase.
CVE-2023-5129
published 2023-09-25

CVE-2023-5129: With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer…

high7.8
ITW
Exploited in the wild
With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

Affected

17 ranges
VendorProductVersion rangeFixed in
apacheguacamole
electronelectron>= 22.0.0 < 22.3.2422.3.24
electronelectron>= 24.0.0 < 24.8.324.8.3
electronelectron>= 25.0.0 < 25.8.125.8.1
electronelectron>= 26.0.0 < 26.2.126.2.1
electronelectron>= 27.0.0-beta.1 < 27.0.0-beta.227.0.0-beta.2
github.comchai2010_webp>= 0 < 0.0.0-20250406010349-76805d5a88600.0.0-20250406010349-76805d5a8860
github.comchai2010_webp>= 0.0.0 < 1.1.2-0.20250406010349-76805d5a88601.1.2-0.20250406010349-76805d5a8860
github.comchai2010_webp>= 1.1.2 < 1.4.01.4.0
microsoftwebp_image_extension>= 0 < 0.2.60.2.6
mozillafirefox
platformexternal_webp>= 11:0 < 11:2023-10-0611:2023-10-06
platformexternal_webp>= 12:0 < 12:2023-10-0612:2023-10-06
platformexternal_webp>= 12L:0 < 12L:2023-10-0612L:2023-10-06
platformexternal_webp>= 13:0 < 13:2023-10-0613:2023-10-06
platformexternal_webp>= 14-next:0 < 14-next:2023-10-0614-next:2023-10-06
pythonpillow>= 0 < 10.0.110.0.1

CVSS provenance

ghsa8.8HIGH
osv8.8HIGH