Libwebp Heap Buffer Overflow Vulnerability (CVE-2023-4863)

Sep 28, 2023 GMT+08:00

I. Overview

Recently, Google has disclosed in a security notice that there is a heap buffer overflow vulnerability (CVE-2023-4863) in libwebp versions earlier than 1.3.2. The Huffman encoding algorithm used by libwebp for lossless compression has a defect. Unauthenticated remote attackers can construct malicious Webp files to trigger out-of-bounds memory writes. Successful exploitation of this vulnerability can lead to remote code execution. Currently, the POC of this vulnerability has been disclosed, and the vulnerability has been exploited by wild attacks. The risk is high.

Libwebp is a widely used open-source component library that supports programs to encode and decode images in WebP format. If you are a libwebp user, check your libwebp version and implement timely security hardening.

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

https://github.com/advisories/GHSA-hhrh-69hc-fgg7

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

libwebp < 1.3.2

All applications that use the libwebp component (including mainstream browsers, Linux operating systems, image/image processing software, Android applications, and Electron/Flutter cross-platform frameworks)

Secure versions:

libwebp >=1.3.2

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/webmproject/libwebp/tags

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.